प्लेटफ़ॉर्म
java
घटक
studentmanager
में ठीक किया गया
2151560.0.1
CVE-2026-2201 describes a cross-site scripting (XSS) vulnerability discovered in ZeroWdd studentmanager, affecting versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. Due to the rolling release model, specific version numbers are not available, but all users of the affected component should review the provided mitigation strategies.
The XSS vulnerability in ZeroWdd studentmanager allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user cookies, redirect users to malicious websites, or deface the application. Successful exploitation could lead to unauthorized access to sensitive student data, including grades, attendance records, and personal information. The remote nature of the vulnerability means an attacker doesn't need to be on the same network as the studentmanager server, significantly broadening the potential attack surface. Given the public disclosure, the risk of exploitation is elevated.
CVE-2026-2201 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is considered LOW severity based on the CVSS score. Public proof-of-concept (POC) code is likely to emerge, further increasing the risk. The vulnerability was published on 2026-02-09. It is not currently listed on CISA KEV.
Educational institutions and organizations utilizing ZeroWdd studentmanager are at risk. Specifically, deployments where user-provided data is directly reflected in web pages without proper sanitization are particularly vulnerable. Users who rely on the studentmanager for sensitive student data management should prioritize implementing the recommended mitigations.
• java / server:
grep -r "Reason for Leave" src/main/java/com/wdd/studentmanager/controller/LeaveController.java | grep -i "<script"• generic web:
curl -I <studentmanager_url>/leave/add | grep -i "X-XSS-Protection"disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
Due to the rolling release model of ZeroWdd studentmanager, a direct patch is not immediately available. The primary mitigation strategy involves implementing robust input validation and output encoding on the 'Reason for Leave' field within the LeaveController.java file. Specifically, sanitize user-supplied input to prevent the injection of HTML or JavaScript code. Consider using a WAF (Web Application Firewall) to filter out malicious requests. Regularly review and update the application's codebase to address potential vulnerabilities. After implementing these mitigations, thoroughly test the application to ensure that the vulnerability has been effectively addressed and no new issues have been introduced.
चूंकि परियोजना का रिपॉजिटरी कई वर्षों से सक्रिय नहीं है और विशिष्ट संस्करण जानकारी के बिना एक निरंतर रिलीज़ मॉडल का उपयोग करता है, इसलिए इस सॉफ़्टवेयर का उपयोग बंद करने या एक सुरक्षित विकल्प खोजने की अनुशंसा की जाती है। यदि इसे बनाए रखना आवश्यक है, तो `src/main/java/com/wdd/studentmanager/controller/LeaveController.java` में कोड की मैन्युअल रूप से समीक्षा और ठीक करें ताकि `addLeave` फ़ंक्शन में `Reason for Leave` तर्क के इनपुट को एस्केप या सैनिटाइज करके XSS भेद्यता से बचा जा सके।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-2201 is a cross-site scripting (XSS) vulnerability in ZeroWdd studentmanager versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9, allowing attackers to inject malicious scripts.
If you are using ZeroWdd studentmanager versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9, you are potentially affected by this XSS vulnerability.
Due to the rolling release model, a direct patch is unavailable. Implement input validation and output encoding on the 'Reason for Leave' field, and consider using a WAF.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the ZeroWdd project's official communication channels and documentation for the latest advisory regarding CVE-2026-2201.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी pom.xml फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।