プラットフォーム
java
コンポーネント
smart-sso
修正版
2.1.1
2.1.2
CVE-2026-2972 describes a cross-site scripting (XSS) vulnerability discovered in Smart-SSO versions 2.1.0 through 2.1.1. This flaw resides within the Role Edit Page's Save function, allowing attackers to inject malicious scripts. Successful exploitation could lead to unauthorized access or modification of user data. The vulnerability is publicly disclosed and may be actively exploited.
An attacker exploiting CVE-2026-2972 can inject arbitrary JavaScript code into the Smart-SSO application. This code could be executed in the context of a user's browser, potentially allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the application is used to manage sensitive user data or access critical systems. This XSS vulnerability could be leveraged for phishing attacks or to gain persistent access to the application.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of a vendor response raises concerns about the timeliness of a patch. While the CVSS score is LOW, the potential for user data compromise and application defacement warrants immediate attention. No known active campaigns have been reported, but the public disclosure makes it a prime target for opportunistic attackers.
Organizations relying on Smart-SSO for single sign-on and identity management are at risk. This includes companies with legacy Smart-SSO deployments, those using the Role Edit Page for administrative tasks, and those who have not implemented robust input validation practices.
• java / server:
# Check for the vulnerable file
find /opt/smart-sso/smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/ -name UserController.java• generic web:
# Check response headers for XSS indicators
curl -I https://your-smart-sso-instance/admin/role-edit | grep -i 'x-xss-protection'disclosure
エクスプロイト状況
EPSS
0.03% (7% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-2972 is to upgrade Smart-SSO to a version that addresses the vulnerability. As of this writing, no patched version has been released. Until a patch is available, implement strict input validation and output encoding on the Role Edit Page to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly review and update security policies and procedures.
Smart-SSO を 2.1.1 以降のバージョンにアップデートしてください。アップデートが利用できない場合は、smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java の Save 関数におけるユーザー入力を確認し、サニタイズして、悪意のあるコードのインジェクションを回避してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-2972 is a cross-site scripting (XSS) vulnerability affecting Smart-SSO versions 2.1.0 through 2.1.1. It allows attackers to inject malicious scripts via the Role Edit Page.
If you are using Smart-SSO versions 2.1.0 or 2.1.1, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
Upgrade to a patched version of Smart-SSO. Until a patch is released, implement input validation and output encoding, and consider using a WAF.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed and may be exploited by opportunistic attackers.
Due to the lack of vendor response, an official advisory may not be available. Monitor security news sources and the Smart-SSO community for updates.
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。