Vendor CVEs
Getsimplecms Ce
All CVEs
46 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-41544 | Cri | 0.67 | 9.8 | 0.09 | Oct 18, 2022 | GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php. | ||
| CVE-2023-46042 | Cri | 0.66 | 9.8 | 0.23 | Oct 19, 2023 | An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo(). | ||
| CVE-2020-18191 | Cri | 0.59 | 9.1 | 0.02 | Oct 2, 2020 | GetSimpleCMS-3.3.15 is affected by directory traversal. Remote attackers are able to delete arbitrary files via /GetSimpleCMS-3.3.15/admin/log.php | ||
| CVE-2018-17103 | Hig | 0.57 | 8.8 | 0.01 | Sep 16, 2018 | An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter | ||
| CVE-2014-8722 | Hig | 0.53 | 7.5 | 0.14 | Mar 17, 2017 | GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/.xml, (2) backups/users/.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml. | ||
| CVE-2021-28976 | Hig | 0.50 | 7.2 | 0.08 | Jun 23, 2021 | Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess. | ||
| CVE-2020-23839 | Med | 0.43 | 6.1 | 0.10 | Sep 1, 2020 | A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials,… | ||
| CVE-2018-9173 | Med | 0.43 | 6.1 | 0.03 | Apr 2, 2018 | Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter. | ||
| CVE-2021-36601 | Med | 0.40 | 6.1 | 0.01 | Aug 10, 2021 | GetSimpleCMS 3.3.16 contains a cross-site Scripting (XSS) vulnerability, where Function TSL does not filter check settings.php Website URL: "siteURL" parameter. | ||
| CVE-2020-18660 | Med | 0.40 | 6.1 | 0.01 | Jun 23, 2021 | GetSimpleCMS <=3.3.15 has an open redirect in admin/changedata.php via the redirect function to the url parameter. | ||
| CVE-2020-18659 | Med | 0.40 | 6.1 | 0.01 | Jun 23, 2021 | Cross Site Scripting vulnerability in GetSimpleCMS <=3.3.15 via the (1) sitename, (2) username, and (3) email parameters to /admin/setup.php | ||
| CVE-2020-18658 | Med | 0.40 | 6.1 | 0.01 | Jun 23, 2021 | Cross Site Scriptiong (XSS) vulnerability in GetSimpleCMS <=3.3.15 via the timezone parameter to settings.php. | ||
| CVE-2020-18657 | Med | 0.40 | 6.1 | 0.01 | Jun 23, 2021 | Cross Site Scripting (XSS) vulnerability in GetSimpleCMS <= 3.3.15 in admin/changedata.php via the redirect_url parameter and the headers_sent function. | ||
| CVE-2013-1420 | Med | 0.40 | 6.1 | 0.01 | Jan 2, 2020 | Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to… | ||
| CVE-2019-9915 | Med | 0.40 | 6.1 | 0.04 | Mar 22, 2019 | GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter. | ||
| CVE-2018-16325 | Med | 0.40 | 6.1 | 0.01 | Sep 1, 2018 | There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field. | ||
| CVE-2017-10673 | Med | 0.40 | 6.1 | 0.01 | Jun 29, 2017 | admin/profile.php in GetSimple CMS 3.x has XSS in a name field. | ||
| CVE-2021-47870 | Med | 0.35 | 5.4 | 0.00 | Jan 21, 2026 | GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to… | ||
| CVE-2023-51246 | Med | 0.35 | 5.4 | 0.00 | Jan 8, 2024 | A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exists when using Source Code Mode as a backend user to add articles via the /admin/edit.php page. | ||
| CVE-2023-46040 | Med | 0.35 | 5.4 | 0.01 | Oct 31, 2023 | Cross Site Scripting vulnerability in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via the a crafted payload to the components.php function. | ||
| CVE-2020-21353 | Med | 0.35 | 5.4 | 0.01 | Aug 6, 2021 | A stored cross site scripting (XSS) vulnerability in /admin/snippets.php of GetSimple CMS 3.4.0a allows attackers to execute arbitrary web scripts or HTML via crafted payload in the Edit Snippets module. | ||
| CVE-2020-20391 | Med | 0.35 | 5.4 | 0.01 | Jun 23, 2021 | Cross Site Scripting vulnerability in GetSimpleCMS 3.4.0a in admin/snippets.php via (1) Add Snippet and (2) Save snippets. | ||
| CVE-2019-16333 | Med | 0.35 | 5.4 | 0.01 | Sep 15, 2019 | GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php. | ||
| CVE-2018-19845 | Med | 0.35 | 5.4 | 0.01 | Dec 31, 2018 | There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325. | ||
| CVE-2014-8723 | Med | 0.35 | 5.3 | 0.01 | Mar 17, 2017 | GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message. | ||
| CVE-2026-26351 | Med | 0.31 | 4.8 | 0.00 | Feb 24, 2026 | GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored… | ||
| CVE-2023-6188 | Med | 0.31 | 4.7 | 0.01 | Nov 17, 2023 | A vulnerability was found in GetSimpleCMS 3.3.16/3.4.0a. It has been rated as critical. This issue affects some unknown processing of the file /admin/theme-edit.php. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to… | ||
| CVE-2020-20389 | Med | 0.31 | 4.8 | 0.01 | Jun 23, 2021 | Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php. | ||
| CVE-2021-28977 | Med | 0.31 | 4.8 | 0.01 | Jun 23, 2021 | Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files, | ||
| CVE-2018-15843 | Med | 0.31 | 4.8 | 0.01 | Aug 25, 2018 | GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field. | ||
| CVE-2018-19421 | Low | 0.25 | 3.8 | 0.01 | Nov 21, 2018 | In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php. | ||
| CVE-2018-19420 | Low | 0.25 | 3.8 | 0.01 | Nov 21, 2018 | In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and… | ||
| CVE-2013-10032 | 0.09 | — | 0.02 | Jul 25, 2025 | An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP… | |||
| CVE-2026-28495 | 0.00 | — | 0.00 | Mar 10, 2026 | GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF… | |||
| CVE-2026-27202 | 0.00 | — | 0.01 | Feb 20, 2026 | GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication. | |||
| CVE-2026-27161 | 0.00 | — | 0.00 | Feb 20, 2026 | GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these… | |||
| CVE-2026-27147 | 0.00 | — | 0.00 | Feb 20, 2026 | GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an… | |||
| CVE-2026-27146 | 0.00 | — | 0.00 | Feb 20, 2026 | GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated… | |||
| CVE-2021-47860 | 0.00 | — | 0.00 | Jan 21, 2026 | GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to… | |||
| CVE-2021-47830 | 0.00 | — | 0.00 | Jan 21, 2026 | GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized… | |||
| CVE-2025-48492 | 0.00 | — | 0.01 | May 30, 2025 | GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE).… | |||
| CVE-2024-55086 | 0.00 | — | 0.00 | Dec 18, 2024 | In the GetSimple CMS CE 3.3.19 management page, Server-Side Request Forgery (SSRF) can be achieved in the plug-in download address in the backend management system. | |||
| CVE-2024-55085 | 0.00 | — | 0.01 | Dec 16, 2024 | GetSimple CMS CE 3.3.19 suffers from arbitrary code execution in the template editing function in the background management system, which can be used by an attacker to implement RCE. | |||
| CVE-2024-11125 | 0.00 | — | 0.00 | Nov 12, 2024 | A vulnerability was found in GetSimpleCMS 3.3.16 and classified as problematic. This issue affects some unknown processing of the file /admin/profile.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed… | |||
| CVE-2015-5356 | 0.00 | — | 0.02 | Jul 1, 2015 | Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the func parameter. | |||
| CVE-2015-5355 | 0.00 | — | 0.02 | Jul 1, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post-content or (2) post-title parameter to admin/edit.php. |
- risk 0.67cvss 9.8epss 0.09
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.
- risk 0.66cvss 9.8epss 0.23
An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo().
- risk 0.59cvss 9.1epss 0.02
GetSimpleCMS-3.3.15 is affected by directory traversal. Remote attackers are able to delete arbitrary files via /GetSimpleCMS-3.3.15/admin/log.php
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter
- risk 0.53cvss 7.5epss 0.14
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/.xml, (2) backups/users/.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml.
- risk 0.50cvss 7.2epss 0.08
Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess.
- risk 0.43cvss 6.1epss 0.10
A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials,…
- risk 0.43cvss 6.1epss 0.03
Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter.
- risk 0.40cvss 6.1epss 0.01
GetSimpleCMS 3.3.16 contains a cross-site Scripting (XSS) vulnerability, where Function TSL does not filter check settings.php Website URL: "siteURL" parameter.
- risk 0.40cvss 6.1epss 0.01
GetSimpleCMS <=3.3.15 has an open redirect in admin/changedata.php via the redirect function to the url parameter.
- risk 0.40cvss 6.1epss 0.01
Cross Site Scripting vulnerability in GetSimpleCMS <=3.3.15 via the (1) sitename, (2) username, and (3) email parameters to /admin/setup.php
- risk 0.40cvss 6.1epss 0.01
Cross Site Scriptiong (XSS) vulnerability in GetSimpleCMS <=3.3.15 via the timezone parameter to settings.php.
- risk 0.40cvss 6.1epss 0.01
Cross Site Scripting (XSS) vulnerability in GetSimpleCMS <= 3.3.15 in admin/changedata.php via the redirect_url parameter and the headers_sent function.
- risk 0.40cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to…
- risk 0.40cvss 6.1epss 0.04
GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.
- risk 0.40cvss 6.1epss 0.01
There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field.
- risk 0.40cvss 6.1epss 0.01
admin/profile.php in GetSimple CMS 3.x has XSS in a name field.
- risk 0.35cvss 5.4epss 0.00
GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to…
- risk 0.35cvss 5.4epss 0.00
A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exists when using Source Code Mode as a backend user to add articles via the /admin/edit.php page.
- risk 0.35cvss 5.4epss 0.01
Cross Site Scripting vulnerability in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via the a crafted payload to the components.php function.
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in /admin/snippets.php of GetSimple CMS 3.4.0a allows attackers to execute arbitrary web scripts or HTML via crafted payload in the Edit Snippets module.
- risk 0.35cvss 5.4epss 0.01
Cross Site Scripting vulnerability in GetSimpleCMS 3.4.0a in admin/snippets.php via (1) Add Snippet and (2) Save snippets.
- risk 0.35cvss 5.4epss 0.01
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
- risk 0.35cvss 5.4epss 0.01
There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325.
- risk 0.35cvss 5.3epss 0.01
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message.
- risk 0.31cvss 4.8epss 0.00
GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored…
- risk 0.31cvss 4.7epss 0.01
A vulnerability was found in GetSimpleCMS 3.3.16/3.4.0a. It has been rated as critical. This issue affects some unknown processing of the file /admin/theme-edit.php. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to…
- risk 0.31cvss 4.8epss 0.01
Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php.
- risk 0.31cvss 4.8epss 0.01
Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files,
- risk 0.31cvss 4.8epss 0.01
GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field.
- risk 0.25cvss 3.8epss 0.01
In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php.
- risk 0.25cvss 3.8epss 0.01
In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and…
- CVE-2013-10032Jul 25, 2025risk 0.09cvss —epss 0.02
An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP…
- CVE-2026-28495Mar 10, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF…
- CVE-2026-27202Feb 20, 2026risk 0.00cvss —epss 0.01
GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication.
- CVE-2026-27161Feb 20, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these…
- CVE-2026-27147Feb 20, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an…
- CVE-2026-27146Feb 20, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated…
- CVE-2021-47860Jan 21, 2026risk 0.00cvss —epss 0.00
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to…
- CVE-2021-47830Jan 21, 2026risk 0.00cvss —epss 0.00
GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized…
- CVE-2025-48492May 30, 2025risk 0.00cvss —epss 0.01
GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE).…
- CVE-2024-55086Dec 18, 2024risk 0.00cvss —epss 0.00
In the GetSimple CMS CE 3.3.19 management page, Server-Side Request Forgery (SSRF) can be achieved in the plug-in download address in the backend management system.
- CVE-2024-55085Dec 16, 2024risk 0.00cvss —epss 0.01
GetSimple CMS CE 3.3.19 suffers from arbitrary code execution in the template editing function in the background management system, which can be used by an attacker to implement RCE.
- CVE-2024-11125Nov 12, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in GetSimpleCMS 3.3.16 and classified as problematic. This issue affects some unknown processing of the file /admin/profile.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed…
- CVE-2015-5356Jul 1, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the func parameter.
- CVE-2015-5355Jul 1, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post-content or (2) post-title parameter to admin/edit.php.