CVE-2020-37238

MEDIUM

CMS Made Simple 2.2.15 Stored XSS via SVG File Upload

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37238. PoCs published by Eshan Singh.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in CMS Made Simple 2.2.15 via SVG file upload. The SVG payload contains JavaScript that executes when the file is accessed, allowing an attacker to steal cookies or perform other malicious actions.

Description

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.

Exploits (1)

exploitdb WORKING POC

by Eshan Singh · textwebappsphp

https://www.exploit-db.com/exploits/49199

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in CMS Made Simple 2.2.15 via SVG file upload. The SVG payload contains JavaScript that executes when the file is accessed, allowing an attacker to steal cookies or perform other malicious actions.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: CMS Made Simple v2.2.15

Auth required

Prerequisites: Authenticated access to the CMS admin panel · Ability to upload files via the Content Manager

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-49199

https://www.exploit-db.com/exploits/49199

Product product

Official Product Homepage

https://www.cmsmadesimple.org/

Product product

Product Reference

https://www.cmsmadesimple.org/downloads

Third Party Advisory third-party-advisory

VulnCheck Advisory: CMS Made Simple 2.2.15 Stored XSS via SVG File Upload

https://www.vulncheck.com/advisories/cms-made-simple-stored-xss-via-svg-file-upload

Scores

CVSS v3 6.4

EPSS 0.0003

EPSS Percentile 10.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

Cmsmadesimple/CMS Made Simple 2.2.15

Published May 16, 2026

Tracked Since May 16, 2026