Joshuap

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.2.13 **Description** The issue concerns a stored XSS vulnerability in the Filemanager component. This can be exploited via a .pxd file, as shown by sending `m1 files[]` to the "admin/moduleinterface.php" endpoint. **Recommendations** For CMS Made Simple version 2.2.13, consider disabling the Filemanager component until a patch is available to prevent potential exploitation. Restrict access to the "admin/moduleinterface.php" endpoint to minimize the risk of stored XSS attacks. Avoid using the `m1 files[]` variable in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.2.13 **Description** The issue allows remote code execution via a specially crafted .php.jpegd JPEG file. This can be achieved by sending a file as application/octet-stream to the `admin/moduleinterface.php` endpoint, specifically using the `m1 files[]` parameter. The file does not need to be a valid JPEG, but it should contain PHP code. **Recommendations** For CMS Made Simple version 2.2.13, consider restricting access to the `admin/moduleinterface.php` endpoint to minimize the risk of exploitation, and avoid using the `m1 files[]` parameter until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.