Vulnerability-Lookup

CNVD-2026-00824

Vulnerability from cnvd - Published: 2026-01-06

Title

CMSimple跨站脚本漏洞（CNVD-2026-0082457）

Description

CMSimple是一种自由的内容管理系统。 CMSimple存在跨站脚本漏洞，该漏洞源于Filebrowser外部输入字段未对用户提供的内容进行适当的过滤或输出编码处理。攻击者可利用该漏洞通过构造恶意输入并将其存储到Filebrowser外部输入字段，当其他用户访问相关页面或点击Page/Files标签时，嵌入的恶意脚本将在用户浏览器中执行。

Severity

中

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://www.cmsimple.org/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-47732

Impacted products

Name
CMSimple CMSimple 5.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-47732",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-47732"
    }
  },
  "description": "CMSimple\u662f\u4e00\u79cd\u81ea\u7531\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\n\nCMSimple\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eFilebrowser\u5916\u90e8\u8f93\u5165\u5b57\u6bb5\u672a\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u5185\u5bb9\u8fdb\u884c\u9002\u5f53\u7684\u8fc7\u6ee4\u6216\u8f93\u51fa\u7f16\u7801\u5904\u7406\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6784\u9020\u6076\u610f\u8f93\u5165\u5e76\u5c06\u5176\u5b58\u50a8\u5230Filebrowser\u5916\u90e8\u8f93\u5165\u5b57\u6bb5\uff0c\u5f53\u5176\u4ed6\u7528\u6237\u8bbf\u95ee\u76f8\u5173\u9875\u9762\u6216\u70b9\u51fbPage/Files\u6807\u7b7e\u65f6\uff0c\u5d4c\u5165\u7684\u6076\u610f\u811a\u672c\u5c06\u5728\u7528\u6237\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://www.cmsimple.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-00824",
  "openTime": "2026-01-06",
  "products": {
    "product": "CMSimple CMSimple 5.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-47732",
  "serverity": "\u4e2d",
  "submitTime": "2025-12-29",
  "title": "CMSimple\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2026-0082457\uff09"
}

CVE-2021-47732 (GCVE-0-2021-47732)

Vulnerability from cvelistv5 – Published: 2025-12-23 19:34 – Updated: 2026-01-05 14:09

Title

CMSimple 5.2 Stored Cross-Site Scripting via Filebrowser External Input

Summary

CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection.

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

VulnCheck

References

URL

Tags

	https://www.exploit-db.com/exploits/49751	exploit
	https://www.cmsimple.org/en/	product
	https://www.vulncheck.com/advisories/cmsimple-sto…	third-party-advisory

Impacted products

	Vendor	Product	Version
	CMSimple	CMSimple	Affected: CMSimple 5.2

Credits

Quadron Research Lab

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47732",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-23T20:45:23.446645Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-23T20:45:29.630Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CMSimple",
          "vendor": "CMSimple",
          "versions": [
            {
              "status": "affected",
              "version": "CMSimple 5.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Quadron Research Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T14:09:52.600Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "ExploitDB-49751",
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/49751"
        },
        {
          "name": "Official CMSimple Vendor Homepage",
          "tags": [
            "product"
          ],
          "url": "https://www.cmsimple.org/en/"
        },
        {
          "name": "VulnCheck Advisory: CMSimple 5.2 Stored Cross-Site Scripting via Filebrowser External Input",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/cmsimple-stored-cross-site-scripting-via-filebrowser-external-input"
        }
      ],
      "title": "CMSimple 5.2 Stored Cross-Site Scripting via Filebrowser External Input",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2021-47732",
    "datePublished": "2025-12-23T19:34:07.775Z",
    "dateReserved": "2025-12-23T13:24:04.578Z",
    "dateUpdated": "2026-01-05T14:09:52.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-00824

CVE-2021-47732 (GCVE-0-2021-47732)

Tags

Sightings

Nomenclature