First, it should be noted that CVE only concern software (CMS being considered as software). When a flaw is detected, it is called a "0 Day". This means that it has not been published or corrected. If the target company accepts the flaw, it can ask the MITRE to validate the CVE. If MITRE considerates that the software in question is widely used and supported it will validate the request of the company. It is also entitled to refuse. When the MITRE gives its consent, it provides a unique CVE identifier to the company which must in turn fill a form with a full description of the flaw. The company can get help from the person who put the flaw in evidence. Once completed, the form is returned to MITER in order to publish the flaw.
The two companies that publish the most CVE are Apple and Microsoft. For a company, publish a CVE is synonymous with transparency with consumers regarding their security policy.
There is also the Common Weakness Enumeration (CWE), which includes more specific categories of flaw so that companies can better understand how flaws affect their software. In this register we can find, for example, descriptions of the flaws XSS, CSRF, SQLi, …