平台
java
组件
studentmanager
修复版本
2151560.0.1
CVE-2026-2201 describes a cross-site scripting (XSS) vulnerability discovered in ZeroWdd studentmanager, affecting versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. Due to the rolling release model, specific version numbers are not available, but all users of the affected component should review the provided mitigation strategies.
The XSS vulnerability in ZeroWdd studentmanager allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user cookies, redirect users to malicious websites, or deface the application. Successful exploitation could lead to unauthorized access to sensitive student data, including grades, attendance records, and personal information. The remote nature of the vulnerability means an attacker doesn't need to be on the same network as the studentmanager server, significantly broadening the potential attack surface. Given the public disclosure, the risk of exploitation is elevated.
CVE-2026-2201 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is considered LOW severity based on the CVSS score. Public proof-of-concept (POC) code is likely to emerge, further increasing the risk. The vulnerability was published on 2026-02-09. It is not currently listed on CISA KEV.
Educational institutions and organizations utilizing ZeroWdd studentmanager are at risk. Specifically, deployments where user-provided data is directly reflected in web pages without proper sanitization are particularly vulnerable. Users who rely on the studentmanager for sensitive student data management should prioritize implementing the recommended mitigations.
• java / server:
grep -r "Reason for Leave" src/main/java/com/wdd/studentmanager/controller/LeaveController.java | grep -i "<script"• generic web:
curl -I <studentmanager_url>/leave/add | grep -i "X-XSS-Protection"disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
Due to the rolling release model of ZeroWdd studentmanager, a direct patch is not immediately available. The primary mitigation strategy involves implementing robust input validation and output encoding on the 'Reason for Leave' field within the LeaveController.java file. Specifically, sanitize user-supplied input to prevent the injection of HTML or JavaScript code. Consider using a WAF (Web Application Firewall) to filter out malicious requests. Regularly review and update the application's codebase to address potential vulnerabilities. After implementing these mitigations, thoroughly test the application to ensure that the vulnerability has been effectively addressed and no new issues have been introduced.
由于该项目的代码仓库已经多年未活跃,并且使用持续发布模型,没有可用的具体版本信息,建议停止使用该软件或寻找安全的替代方案。如果必须继续使用,请手动审查和修复 `src/main/java/com/wdd/studentmanager/controller/LeaveController.java` 中的代码,以避免 `addLeave` 函数中的 XSS 漏洞,对 `Reason for Leave` 参数的输入进行转义或清理 (escaping or sanitizing the input).
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-2201 is a cross-site scripting (XSS) vulnerability in ZeroWdd studentmanager versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9, allowing attackers to inject malicious scripts.
If you are using ZeroWdd studentmanager versions up to 2151560fc0a50ec00426785ec1e01a3763b380d9, you are potentially affected by this XSS vulnerability.
Due to the rolling release model, a direct patch is unavailable. Implement input validation and output encoding on the 'Reason for Leave' field, and consider using a WAF.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the ZeroWdd project's official communication channels and documentation for the latest advisory regarding CVE-2026-2201.
上传你的 pom.xml 文件,立即知道是否受影响。