CVE-2020-37238
Description
CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CMS Made Simple 2.2.15 allows authenticated Content Managers to upload SVG files with embedded JavaScript, enabling stored XSS that steals cookies and hijacks sessions.
Vulnerability
CMS Made Simple 2.2.15 contains a stored cross-site scripting (XSS) vulnerability in its file upload functionality. An authenticated user with Content Manager access can upload an SVG file containing embedded JavaScript code to the file manager. When other authenticated users access the uploaded SVG file, the JavaScript executes in the context of the victim's browser, leading to cookie theft and session hijacking. The vulnerability affects CMS Made Simple version 2.2.15 [1][4].
Exploitation
An attacker who is authenticated as a Content Manager can upload a crafted SVG file via the file manager. The exploit involves uploading an SVG file with embedded JavaScript (e.g., using the ` tag) and then tricking other authenticated users into opening the file. For example, the attacker can upload the malicious SVG to the images directory and then share the URL. When another authenticated user accesses the file (e.g., http://127.0.0.1/cmsms/uploads/images/SVG_XSS.svg`), the embedded script executes, allowing the attacker to steal cookies and perform session hijacking [1].
Impact
Successful exploitation allows the attacker to steal the session cookies of any authenticated user who views the malicious SVG file. This can lead to session hijacking, where the attacker gains unauthorized access to the victim's account with the same privileges. Since the vulnerability is stored, the malicious file persists on the server and can affect multiple users over time. The attack does not require high privileges beyond Content Manager access and can compromise higher-privileged accounts such as administrators [1][4].
Mitigation
As of the available references, no official patch for CMS Made Simple 2.2.15 has been released to address this vulnerability. Users should restrict file upload permissions to trusted users only, disable SVG file uploads if possible, or implement additional input validation to sanitize uploaded SVG files. It is recommended to monitor the vendor's website for future updates and apply the fix when available [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.2.15
- Range: = 2.2.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.