How to Report a Vulnerability

We love that the community is so eager to ensure the security of CMS Made Simple! If you think you've found a vulnerability and wish to report it, read through the following carefully before contacting us.

Is it really a vulnerability?

With any Content Management System as powerful as CMS Made Simple there are some inherent risks assumed. Backend users can add scripts, html, and even PHP code via User Defined Tags. To this end, we don't consider the ability to include scripts in any field in the backend, or the uploading of certain file types via the File Manager, to be legitimate vulnerabilities.

If you think certain types of files shouldn't be uploaded by users, you should restrict that on a server level using .htaccess or any other means at your disposal.

Wait! My case is different!

Access to the backend of CMS Made Simple should only be given to trusted users. Although we offer granular permissions for user groups, this is intended primarily as a division of tasks rather than a security measure. If you need to give restricted access to untrusted users, use a third-party module for frontend users.

We may, at our discretion, tighten restrictions on what fields may contain scripts and what kinds of files can be uploaded. This is low on our priority list and vulnerability reports of this nature will generally be disregarded.

You are welcome to disagree with this, and may take your report public as you see fit.

No, I seriously have a concern and it doesn't require backend access

Oh no! In that case, please submit a vulnerability report.

What Happens Next

• Upon receipt of a legitimate report, it will be distributed to the appropriate Dev Team members.
• If we require more information, or wish to acknowledge a serious report, we will respond via email.
• We do not pay bounties, nor do we generate CVE numbers or participate in any CVE reporting agency.
• We will release a patch in a timeframe suitable to the severity of the vulnerability.
• If you do not receive a response within 3 business days, your report has likely been considered invalid. We are a small group of volunteers and don't have the resources to respond to the countless invalid reports we receive.