CVE-2021-47919
Non-Persistent XSS in Simple CMS preview.php Enables Session Hijack
Publication date: 2026-02-01
Last updated on: 2026-02-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| simplephpscripts | simple_cms_php | 2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47919 is a non-persistent cross-site scripting (XSS) vulnerability in Simple CMS version 2.1. It exists in the preview.php file's 'id' parameter, which does not properly neutralize input. Attackers can send a crafted GET request injecting malicious script code into this parameter. This causes the malicious script to execute in the victim's browser context, without requiring authentication or significant user interaction. The vulnerability affects the preview module's exception-handling output, enabling client-side script execution that can lead to session hijacking, phishing, external redirects, or manipulation of application modules. [1, 2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow attackers to execute arbitrary scripts in the victim's browser, potentially leading to session hijacking, phishing attacks, redirection to malicious sites, and manipulation of application modules. This can compromise user sessions and trust, resulting in unauthorized access or data theft. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP GET requests to the preview.php file with malicious payloads injected into the 'id' parameter and observing if the response executes or reflects the injected script. For example, you can use curl to test the vulnerability with a payload like: curl -v 'http://targetsite/preview.php?id=-1%3E%22%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E'. If the response includes the injected script or triggers an alert, the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the vendor's patch released by October 2, 2021, which fixes the input validation in the preview.php file's 'id' parameter. Until the patch is applied, you can implement input validation or filtering on the 'id' parameter to neutralize script code, restrict access to the preview.php file, and monitor for suspicious GET requests targeting this parameter to prevent exploitation. [1, 2]