プラットフォーム
php
修正版
1.0.1
CVE-2026-3412 describes a cross-site scripting (XSS) vulnerability discovered in the itsourcecode University Management System, specifically affecting version 1.0. This flaw resides within the /attsingleview.php file and allows attackers to inject malicious scripts via manipulation of the 'dt' argument. The vulnerability is remotely exploitable and a public proof-of-concept is now available, increasing the risk of exploitation.
Successful exploitation of CVE-2026-3412 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the University Management System. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data like login credentials or personal information. Given the public availability of a proof-of-concept, the risk of widespread exploitation is significant, particularly for systems with unpatched installations. The blast radius extends to all users accessing the affected page.
CVE-2026-3412 is currently considered a high-risk vulnerability due to the public availability of a proof-of-concept. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation makes it a prime target for opportunistic attackers. The vulnerability was publicly disclosed on 2026-03-02. Monitor security advisories and threat intelligence feeds for updates.
Organizations utilizing the itsourcecode University Management System version 1.0, particularly those with publicly accessible instances or those lacking robust input validation practices, are at significant risk. Shared hosting environments where multiple users share the same server resources are also particularly vulnerable, as a compromise of one user's account could potentially impact others.
• php / web:
curl -I 'http://your-university-management-system/att_single_view.php?dt=<script>alert(1)</script>' | grep -i content-type• generic web:
grep -i 'dt=<script' /var/log/apache2/access.logdisclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3412 is to upgrade to a patched version of the itsourcecode University Management System. As no fixed version is currently specified, immediate action is crucial. In the absence of an upgrade, implement temporary mitigations such as deploying a Web Application Firewall (WAF) with rules to filter out malicious script injections targeting the 'dt' parameter in /attsingleview.php. Input validation on the server-side, specifically sanitizing or encoding user-supplied input before rendering it in the page, is also essential. Regularly review access and error logs for suspicious activity.
大学管理システムのパッチバージョンにアップデートしてください。利用可能なバージョンがない場合は、`/att_single_view.php` のソースコードを確認し、`dt` パラメータの入力をサニタイズして、悪意のある JavaScript コードの実行を防止してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3412 is a cross-site scripting (XSS) vulnerability affecting version 1.0 of the itsourcecode University Management System, allowing attackers to inject malicious scripts via the /attsingleview.php file.
If you are using itsourcecode University Management System version 1.0 and have not applied a patch, you are likely affected by this vulnerability. Assess your instance immediately.
The recommended fix is to upgrade to a patched version of the University Management System. Until a patch is available, implement WAF rules and server-side input validation.
While no confirmed active exploitation campaigns are currently known, the public availability of a proof-of-concept suggests a high probability of exploitation.
Refer to the itsourcecode website or security mailing lists for the official advisory regarding CVE-2026-3412.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。