プラットフォーム
javascript
コンポーネント
notice-form-drawer-vue
修正版
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
3.8.1
3.9.1
3.10.1
3.11.1
3.12.1
3.13.1
3.14.1
3.15.1
3.16.1
3.17.1
3.18.1
3.19.1
3.20.1
3.21.1
3.22.1
3.23.1
3.24.1
3.25.1
3.26.1
3.27.1
3.28.1
3.29.1
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
3.8.1
3.9.1
3.10.1
3.11.1
3.12.1
3.13.1
3.14.1
3.15.1
3.16.1
3.17.1
3.18.1
3.19.1
3.20.1
3.21.1
3.22.1
3.23.1
3.24.1
3.25.1
3.26.1
3.27.1
3.28.1
3.29.1
CVE-2026-3720 describes a cross-site scripting (XSS) vulnerability discovered in 1024-lab SmartAdmin versions 3.0 through 3.29. This flaw impacts the Notice Module, specifically the notice-form-drawer.vue component, allowing attackers to inject malicious scripts. A public proof-of-concept exists, indicating a potential for active exploitation. Mitigation involves upgrading to a patched version when available.
Successful exploitation of CVE-2026-3720 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session within the SmartAdmin application. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the application's user interface. The attacker could potentially steal sensitive data entered by users within the Notice Module, such as internal communications or project updates. Given the web-based nature of the application, the blast radius extends to any user accessing the vulnerable component, potentially impacting a wide range of individuals within an organization.
CVE-2026-3720 has a LOW CVSS score of 3.5. A public proof-of-concept has been released, indicating a moderate risk of exploitation. The vulnerability was disclosed on 2026-03-08, and the vendor has not yet responded. Active exploitation is possible given the availability of a PoC.
Organizations utilizing 1024-lab SmartAdmin versions 3.0 through 3.29 are at risk. Specifically, users who interact with the Notice Module are vulnerable to exploitation. Shared hosting environments where multiple users share the same SmartAdmin instance are particularly susceptible.
• javascript / web: Inspect network traffic for unusual JavaScript payloads originating from the notice-form-drawer.vue component. • generic web: Examine access logs for requests containing suspicious characters or patterns commonly associated with XSS attacks. • generic web: Review response headers for the presence of Content-Security-Policy (CSP) directives that could mitigate XSS vulnerabilities.
disclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3720 is to upgrade to a patched version of 1024-lab SmartAdmin. As of the publication date, no patch has been released. Until a patch is available, consider implementing input validation and output encoding on the notice-form-drawer.vue component to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Monitor application logs for suspicious activity, such as unusual JavaScript execution patterns.
SmartAdmin を 3.9 以降のバージョンにアップデートしてください。利用可能なバージョンがない場合は、smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue 内のコードを確認し、XSS の脆弱性を修正してください。ページにレンダリングする前に、ユーザー入力をエスケープまたはサニタイズするようにしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3720 is a cross-site scripting (XSS) vulnerability affecting 1024-lab SmartAdmin versions 3.0–3.29, allowing attackers to inject malicious scripts via the Notice Module.
If you are using 1024-lab SmartAdmin versions 3.0 through 3.29, you are potentially affected by this vulnerability. Check your version and upgrade when a patch is available.
The recommended fix is to upgrade to a patched version of 1024-lab SmartAdmin. Until a patch is released, implement input validation and output encoding.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your application for suspicious activity.
As of the publication date, no official advisory has been released by 1024-lab. Monitor their website and security mailing lists for updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。