免费扫描
MEDIUMCVE-2026-2943CVSS 4.3

SapneshNaik 学生管理系统 index.php 跨站脚本漏洞

平台

php

修复版本

4.0.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2026-2943 describes a cross-site scripting (XSS) vulnerability affecting the SapneshNaik Student Management System. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability exists in versions up to f4b4f0928f0b5551a28ee81ae7e7fe47d9345318, and a public exploit is available, indicating an elevated risk. Due to the lack of versioning, specific mitigation steps are limited to input validation and output encoding.

影响与攻击场景翻译中…

Successful exploitation of CVE-2026-2943 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, and defacing the application's interface. The attacker could potentially gain access to sensitive student data, such as grades, personal information, and financial details, depending on the application's functionality and data storage practices. Given the availability of a public exploit, the blast radius is significant, potentially impacting all users of the vulnerable Student Management System.

利用背景翻译中…

CVE-2026-2943 has been publicly disclosed and a proof-of-concept exploit is readily available, indicating a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. The vendor has not responded to early disclosure attempts, which may indicate a lack of responsiveness to security concerns. The availability of a public exploit significantly increases the risk of widespread exploitation.

哪些人处于风险中翻译中…

Organizations and individuals using the SapneshNaik Student Management System, particularly those without robust input validation and output encoding practices, are at significant risk. Shared hosting environments where multiple users share the same instance of the application are especially vulnerable, as an attacker could potentially compromise the entire hosting environment.

检测步骤翻译中…

• generic web:

curl -I 'http://your-student-management-system.com/index.php?Error=<script>alert(1)</script>' | grep -i content-type

• generic web:

curl 'http://your-student-management-system.com/index.php?Error=<script>alert(1)</script>' | grep -i alert

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露
NextGuard10–15% 仍然脆弱

EPSS

0.03% (9% 百分位)

CISA SSVC

利用情况poc
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R4.3MEDIUMAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

供应商SapneshNaik
影响范围修复版本
f4b4f0928f0b5551a28ee81ae7e7fe47d9345318 – f4b4f0928f0b5551a28ee81ae7e7fe47d93453184.0.1

弱点分类 (CWE)

CWE-79CWE-94

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期
未修复 — 披露已91天

缓解措施和替代方案翻译中…

Due to the lack of versioning in the SapneshNaik Student Management System, direct patching is not possible. The primary mitigation strategy involves implementing robust input validation and output encoding techniques. Specifically, carefully sanitize all user-supplied input, particularly the 'Error' argument in index.php, to prevent the injection of malicious scripts. Employ output encoding to ensure that any user-supplied data displayed in the application is properly escaped. Consider implementing a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly review and update the application's codebase to address potential security vulnerabilities.

修复方法

升级学生管理系统到补丁版本,或采取必要的安全措施以防止执行不需要的 JavaScript 代码。验证和清理用户输入,特别是 index.php 文件中的 'Error' 参数,以防止跨站脚本 (XSS) 攻击。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-2943 — XSS in SapneshNaik Student Management System?

CVE-2026-2943 is a cross-site scripting (XSS) vulnerability in the SapneshNaik Student Management System allowing attackers to inject malicious scripts. It impacts versions up to f4b4f0928f0b5551a28ee81ae7e7fe47d9345318.

Am I affected by CVE-2026-2943 in SapneshNaik Student Management System?

If you are using the SapneshNaik Student Management System version f4b4f0928f0b5551a28ee81ae7e7fe47d9345318 or earlier, you are potentially affected by this XSS vulnerability.

How do I fix CVE-2026-2943 in SapneshNaik Student Management System?

Due to the lack of versioning, patching is not possible. Mitigate by implementing robust input validation and output encoding techniques, and consider a WAF.

Is CVE-2026-2943 being actively exploited?

A public exploit exists, indicating a high probability of active exploitation and increasing the risk to vulnerable systems.

Where can I find the official SapneshNaik advisory for CVE-2026-2943?

The vendor has not released an official advisory. Refer to the CVE entry for more information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2943

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE