What is GHSA-r549-hx7w-7xr9?

GHSA-r549-hx7w-7xr9 is a security advisory published by GitHub Security Advisories with Medium severity. CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows...

Which CVE IDs does GHSA-r549-hx7w-7xr9 cover?

GHSA-r549-hx7w-7xr9 covers the following CVE IDs: CVE-2020-37238. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-r549-hx7w-7xr9?

GHSA-r549-hx7w-7xr9 has a CVSS v3 base score of 6.4, published by GitHub Security Advisories.

GHSA-r549-hx7w-7xr9MediumCVSS 6.4

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows...

Vendor

GitHub Security Advisories

Published

May 16, 2026

Last Modified

May 16, 2026

🔗 CVE IDs covered (1)

CVE-2020-37238 →

📋 Description

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking.

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2020-37238
https://www.cmsmadesimple.org
https://www.cmsmadesimple.org/downloads
https://www.exploit-db.com/exploits/49199
https://www.vulncheck.com/advisories/cms-made-simple-stored-xss-via-svg-file-upload
https://github.com/advisories/GHSA-r549-hx7w-7xr9