CVE-2023-43359

MEDIUM

CMS Made Simple 2.2.18 - Stored Cross-Site Scripting via Page Specific Metadata and Smarty Data Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-43359. PoCs published by sromanhu.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for a stored XSS vulnerability in CMSmadesimple v2.2.18, demonstrating how arbitrary JavaScript can be injected via the Page Specific Metadata and Smarty data fields in the Content Manager Menu.

Description

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component.

Exploits (1)

nomisec WORKING POC
by sromanhu · poc
https://github.com/sromanhu/CVE-2023-43359-CMSmadesimple-Stored-XSS----Content-Manager

This repository contains a functional proof-of-concept for a stored XSS vulnerability in CMSmadesimple v2.2.18, demonstrating how arbitrary JavaScript can be injected via the Page Specific Metadata and Smarty data fields in the Content Manager Menu.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CMSmadesimple v2.2.18
Auth required
Prerequisites: Access to the CMSmadesimple admin panel · Ability to edit Content Manager Menu entries
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 5.4
EPSS 0.0046
EPSS Percentile 36.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
cmsmadesimple/cms_made_simple 2.2.18
Published Oct 19, 2023
Tracked Since Feb 18, 2026