Plateforme
php
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in isourcecode Society Management System version 1.0. This flaw resides within the /admin/expenses.php file, specifically in the handling of the 'detail' argument. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and data integrity. Affected versions include 1.0. A fix is expected from the vendor.
The XSS vulnerability in isourcecode Society Management System allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and redirection to phishing sites. An attacker could steal sensitive information like user credentials or financial data. Given the publicly available exploit, the risk of exploitation is significant, particularly for systems with unpatched installations. The impact is amplified if the application is used to manage sensitive data or handle financial transactions.
CVE-2026-1134 has a publicly available proof-of-concept (PoC), indicating a relatively low barrier to entry for attackers. The vulnerability was disclosed on 2026-01-19. While no active exploitation campaigns have been definitively confirmed, the availability of a PoC significantly increases the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing isourcecode Society Management System version 1.0, particularly those with publicly accessible instances or those lacking robust input validation practices, are at significant risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one user's account could potentially lead to the compromise of others.
• php / web:
curl -I 'http://your-society-management-system/admin/expenses.php?detail=<script>alert("XSS")</script>' | grep -i 'script'• generic web:
grep -i 'alert("XSS")' /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.01% (percentile 3%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-1134 is to upgrade to a patched version of isourcecode Society Management System as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Input validation and sanitization on the 'detail' parameter in /admin/expenses.php can help prevent malicious code injection. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a layer of protection. Carefully review and restrict access to the /admin/expenses.php page to authorized personnel only. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'detail' parameter and verifying that it is properly sanitized.
Mettre à jour vers une version corrigée du logiciel. Si aucune version corrigée n'est disponible, il est recommandé de nettoyer les entrées utilisateur dans le fichier /admin/expenses.php, en particulier l'argument 'detail', afin d'éviter l'injection de code malveillant.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-1134 is a cross-site scripting (XSS) vulnerability affecting isourcecode Society Management System version 1.0. It allows attackers to inject malicious scripts via the /admin/expenses.php file's 'detail' argument.
If you are using isourcecode Society Management System version 1.0, you are potentially affected by this vulnerability. Check your installation and apply the recommended mitigations immediately.
The recommended fix is to upgrade to a patched version of isourcecode Society Management System as soon as it becomes available. Until then, implement input validation and WAF rules.
While no confirmed active exploitation campaigns are currently known, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the isourcecode Society Management System website or their official security advisory channels for updates and the official advisory regarding CVE-2026-1134.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.