Get-Simple: >> Getsimplecms >> 3.2.1 Security Vulnerabilities
An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.
CVSS Score
8.8
EPSS Score
0.568
Published
2025-07-25
GetSimpleCMS <=3.3.15 has an open redirect in admin/changedata.php via the redirect function to the url parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-06-23
Cross Site Scripting (XSS) vulnerability in GetSimpleCMS <= 3.3.15 in admin/changedata.php via the redirect_url parameter and the headers_sent function.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-06-23
Cross Site Scriptiong (XSS) vulnerability in GetSimpleCMS <=3.3.15 via the timezone parameter to settings.php.
CVSS Score
6.1
EPSS Score
0.005
Published
2021-06-23
Cross Site Scripting vulnerability in GetSimpleCMS <=3.3.15 via the (1) sitename, (2) username, and (3) email parameters to /admin/setup.php
CVSS Score
6.1
EPSS Score
0.004
Published
2021-06-23
Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess.
CVSS Score
7.2
EPSS Score
0.055
Published
2021-06-23
Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files,
CVSS Score
4.8
EPSS Score
0.002
Published
2021-06-23