CVE-2024-1529 – CMS Made Simple 2.2.14 has a cross-site scripti... (How to Fix)

Q: What is the severity of CVE-2024-1529?

CVE-2024-1529 has a CVSS score of 7.4 (HIGH). CMS Made Simple 2.2.14 has a cross-site scripting vulnerability in the admin user creation page that allows attackers to inject malicious JavaScript. This could enable session hijacking when authenticated administrators view crafted user data. Only systems running the vulnerable version with admin access are affected.

📋 TL;DR

CMS Made Simple 2.2.14 has a cross-site scripting vulnerability in the admin user creation page that allows attackers to inject malicious JavaScript. This could enable session hijacking when authenticated administrators view crafted user data. Only systems running the vulnerable version with admin access are affected.

💻 Affected Systems

Products:

CMS Made Simple

Versions: 2.2.14

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin authentication to exploit; affects /admin/adduser.php with multiple vulnerable parameters.

📦 What is this software?

Cms Made Simple by Cmsmadesimple

View all CVEs affecting Cms Made Simple →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete admin account takeover leading to website defacement, data theft, or further server compromise through admin privileges.

🟠

Likely Case

Session hijacking of admin accounts allowing unauthorized content changes or data access.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated admin access; XSS payloads can be delivered through user creation forms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.15 or later

Vendor Advisory: https://forum.cmsmadesimple.org/viewforum.php?f=1

Restart Required: No

Instructions:

1. Backup your CMS installation and database. 2. Download CMS Made Simple 2.2.15+ from official sources. 3. Replace vulnerable files with patched versions. 4. Clear CMS cache. 5. Verify admin functionality works.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation for all user-controlled parameters in adduser.php

Modify /admin/adduser.php to sanitize all POST/GET parameters before processing

Output Encoding

all

Apply proper HTML encoding to all user-controlled output in admin interface

Update templates to use htmlspecialchars() or equivalent encoding

🧯 If You Can't Patch

Restrict admin access to trusted IP addresses only
Implement web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check CMS version in admin panel or via version.php file; if version is 2.2.14, system is vulnerable.

Check Version:

grep '\$CMS_VERSION' /path/to/cms/version.php

Verify Fix Applied:

After update, confirm version shows 2.2.15+ in admin panel and test XSS payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

Unusual admin user creation attempts
Suspicious JavaScript in POST parameters to adduser.php

Network Indicators:

HTTP requests to /admin/adduser.php with script tags in parameters

SIEM Query:

source="web_logs" AND uri="/admin/adduser.php" AND (param="*<script*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-1529

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE: CWE-79

Published: March 12, 2024

Last Updated: July 11, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1529, you might also want to check these: