CVE-2020-24860

CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.

Published: Oct 1, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-24860
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
cmsmadesimple / cms_made_simple	2.2.14	2.2.14.x

http://packetstormsecurity.com/files/159434/CMS-Made-Simple-2.2.14-Cross-Site-Scripting.html
https://www.cmsmadesimple.org
https://www.exploit-db.com/exploits/48851
https://www.youtube.com/watch?v=M6D7DmmjLak&t=22s

Vulnerability Database

289,697

CVE-2020-24860