The File Manager in CMS Made Simple up to and including 2.2.10 has Reflected XSS via the "New name" field in a Rename action.
cmsmadesimple cms made simple