Plattform
java
Komponente
studentmanager
Behoben in
2151560.0.1
CVE-2026-2201 describes a cross-site scripting (XSS) vulnerability discovered in ZeroWdd studentmanager, affecting versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. Due to the rolling release model, specific version numbers are not available, but all users of the affected component should review the provided mitigation strategies.
The XSS vulnerability in ZeroWdd studentmanager allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user cookies, redirect users to malicious websites, or deface the application. Successful exploitation could lead to unauthorized access to sensitive student data, including grades, attendance records, and personal information. The remote nature of the vulnerability means an attacker doesn't need to be on the same network as the studentmanager server, significantly broadening the potential attack surface. Given the public disclosure, the risk of exploitation is elevated.
CVE-2026-2201 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is considered LOW severity based on the CVSS score. Public proof-of-concept (POC) code is likely to emerge, further increasing the risk. The vulnerability was published on 2026-02-09. It is not currently listed on CISA KEV.
Educational institutions and organizations utilizing ZeroWdd studentmanager are at risk. Specifically, deployments where user-provided data is directly reflected in web pages without proper sanitization are particularly vulnerable. Users who rely on the studentmanager for sensitive student data management should prioritize implementing the recommended mitigations.
• java / server:
grep -r "Reason for Leave" src/main/java/com/wdd/studentmanager/controller/LeaveController.java | grep -i "<script"• generic web:
curl -I <studentmanager_url>/leave/add | grep -i "X-XSS-Protection"disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
Due to the rolling release model of ZeroWdd studentmanager, a direct patch is not immediately available. The primary mitigation strategy involves implementing robust input validation and output encoding on the 'Reason for Leave' field within the LeaveController.java file. Specifically, sanitize user-supplied input to prevent the injection of HTML or JavaScript code. Consider using a WAF (Web Application Firewall) to filter out malicious requests. Regularly review and update the application's codebase to address potential vulnerabilities. After implementing these mitigations, thoroughly test the application to ensure that the vulnerability has been effectively addressed and no new issues have been introduced.
Da das Code-Repository des Projekts seit vielen Jahren nicht mehr aktiv ist und ein kontinuierliches Release-Modell ohne spezifische Versionsinformationen verwendet wird, wird empfohlen, die Verwendung dieser Software einzustellen oder eine sichere Alternative zu suchen. Wenn es unerlässlich ist, sie beizubehalten, überprüfen und korrigieren Sie den Code manuell in `src/main/java/com/wdd/studentmanager/controller/LeaveController.java`, um die XSS-Vulnerabilität in der Funktion `addLeave` zu vermeiden, indem Sie die Eingabe des Arguments `Reason for Leave` escapen oder bereinigen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2201 is a cross-site scripting (XSS) vulnerability in ZeroWdd studentmanager versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9, allowing attackers to inject malicious scripts.
If you are using ZeroWdd studentmanager versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9, you are potentially affected by this XSS vulnerability.
Due to the rolling release model, a direct patch is unavailable. Implement input validation and output encoding on the 'Reason for Leave' field, and consider using a WAF.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the ZeroWdd project's official communication channels and documentation for the latest advisory regarding CVE-2026-2201.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.