Plateforme
php
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in isourcecode Society Management System version 1.0. This flaw resides within the /admin/activity.php file and allows attackers to inject malicious scripts through manipulation of the Title argument. Successful exploitation could lead to session hijacking or defacement of the application. The vulnerability was publicly disclosed on 2026-01-19 and a proof-of-concept is available.
The XSS vulnerability in isourcecode Society Management System allows an attacker to inject arbitrary JavaScript code into the application. This code will then be executed in the context of the user's browser when they access the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the Society Management System. Given the availability of a public proof-of-concept, the risk of exploitation is considered high.
CVE-2026-1135 is publicly known with a proof-of-concept available, indicating a high probability of exploitation. It was disclosed on 2026-01-19. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. Active exploitation campaigns are possible given the ease of exploitation.
Organizations using isourcecode Society Management System version 1.0, particularly those with publicly accessible administration interfaces, are at risk. Shared hosting environments where multiple users share the same instance of the software are especially vulnerable, as an attacker could potentially compromise other users' accounts.
• generic web:
curl -I <affected_url>/admin/activity.php?Title=<xss_payload>• generic web:
grep -i "<xss_payload>" /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.01% (percentile 3%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-1135 is to upgrade to a patched version of isourcecode Society Management System. As no fixed version is currently available, implement temporary workarounds to reduce the risk. These include implementing strict input validation on the Title parameter in /admin/activity.php, sanitizing user-supplied data, and deploying a Web Application Firewall (WAF) with rules to block XSS attacks. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed.
Mettre à jour vers une version corrigée du logiciel. Si aucune version corrigée n'est disponible, il est recommandé de désactiver ou de supprimer le logiciel jusqu'à ce qu'une solution soit publiée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-1135 is a cross-site scripting (XSS) vulnerability affecting isourcecode Society Management System version 1.0, allowing attackers to inject malicious scripts via the /admin/activity.php file.
If you are using isourcecode Society Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
Upgrade to a patched version of isourcecode Society Management System. Until a patch is available, implement input validation and WAF rules to mitigate the risk.
A proof-of-concept is publicly available, indicating a high probability of exploitation. Monitor your systems closely for suspicious activity.
Please refer to the isourcecode website or security mailing lists for the official advisory regarding CVE-2026-1135.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.