Bsmali4

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.2.3.1 **Description** The issue allows remote attackers to bypass intended access restrictions or trigger XSS via certain file extensions. This is because the `is file acceptable` function in `modules/FileManager/action.upload.php` only blocks file extensions that begin or end with a "php" substring, making other extensions such as `.phtml`, `.pht`, `.html`, or `.svg` vulnerable to exploitation. **Recommendations** For CMS Made Simple version 2.2.3.1, consider restricting the upload of files with potentially executable or malicious extensions as a temporary workaround until a patch is available. Avoid using the `is file acceptable` function in `modules/FileManager/action.upload.php` without additional validation to minimize the risk of exploitation.