CVE-2020-37238 is a stored cross-site scripting issue in CMS Made Simple 2.2.15 tied to SVG file uploads in the file manager. In the supplied record, an authenticated user with Content Manager access can upload an SVG containing embedded JavaScript, and the payload may execute when another authenticated user views the uploaded file. The practical risk is session theft or account abuse through browser-side [truncated]
CVE-2017-6072 is a publicly documented information-disclosure issue in CMS Made Simple Form Builder. The published record says remote attackers could trigger disclosure via defaultadmin, and NVD maps the weakness to CWE-200 with a network-based attack path that requires no privileges or user interaction.
CVE-2017-6071 is a remotely reachable information-disclosure issue in CMS Made Simple Form Builder, triggered through exportxml. NVD rates it as medium severity and identifies low confidentiality impact with no integrity or availability impact. The supplied NVD record also lists affected CMS Made Simple and Form Builder version ranges, so version inventory matters for both components.
CVE-2017-6070 is a critical remote code execution issue in CMS Made Simple Form Builder. The published description says attackers could execute PHP code through the cntnt01fbrp_forma_form_template parameter in admin_store_form. NVD maps the issue to Form Builder versions through 0.8.1.5 and CMS Made Simple versions through 1.12.2.
CVE-2016-7904 describes a cross-site request forgery (CSRF) issue in CMS Made Simple that affects versions through 2.1.5. The vulnerable flow involves admin/adduser.php, where an attacker can induce an authenticated administrator to submit a request that creates accounts. The vendor reference and CVE description indicate the issue is addressed in 2.1.6.
