Plataforma
java
Componente
smart-sso
Corrigido em
2.1.1
2.1.2
CVE-2026-2972 describes a cross-site scripting (XSS) vulnerability discovered in Smart-SSO versions 2.1.0 through 2.1.1. This flaw resides within the Role Edit Page's Save function, allowing attackers to inject malicious scripts. Successful exploitation could lead to unauthorized access or modification of user data. The vulnerability is publicly disclosed and may be actively exploited.
An attacker exploiting CVE-2026-2972 can inject arbitrary JavaScript code into the Smart-SSO application. This code could be executed in the context of a user's browser, potentially allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the application is used to manage sensitive user data or access critical systems. This XSS vulnerability could be leveraged for phishing attacks or to gain persistent access to the application.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of a vendor response raises concerns about the timeliness of a patch. While the CVSS score is LOW, the potential for user data compromise and application defacement warrants immediate attention. No known active campaigns have been reported, but the public disclosure makes it a prime target for opportunistic attackers.
Organizations relying on Smart-SSO for single sign-on and identity management are at risk. This includes companies with legacy Smart-SSO deployments, those using the Role Edit Page for administrative tasks, and those who have not implemented robust input validation practices.
• java / server:
# Check for the vulnerable file
find /opt/smart-sso/smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/ -name UserController.java• generic web:
# Check response headers for XSS indicators
curl -I https://your-smart-sso-instance/admin/role-edit | grep -i 'x-xss-protection'disclosure
Status do Exploit
EPSS
0.03% (percentil 7%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-2972 is to upgrade Smart-SSO to a version that addresses the vulnerability. As of this writing, no patched version has been released. Until a patch is available, implement strict input validation and output encoding on the Role Edit Page to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly review and update security policies and procedures.
Atualizar Smart-SSO para uma versão posterior a 2.1.1. Se não houver atualizações disponíveis, revisar e sanitizar as entradas do usuário na função Save do arquivo smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java para evitar a injeção de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-2972 is a cross-site scripting (XSS) vulnerability affecting Smart-SSO versions 2.1.0 through 2.1.1. It allows attackers to inject malicious scripts via the Role Edit Page.
If you are using Smart-SSO versions 2.1.0 or 2.1.1, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
Upgrade to a patched version of Smart-SSO. Until a patch is released, implement input validation and output encoding, and consider using a WAF.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed and may be exploited by opportunistic attackers.
Due to the lack of vendor response, an official advisory may not be available. Monitor security news sources and the Smart-SSO community for updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.