平台
java
组件
smart-sso
修复版本
2.1.1
2.1.2
CVE-2026-2972 describes a cross-site scripting (XSS) vulnerability discovered in Smart-SSO versions 2.1.0 through 2.1.1. This flaw resides within the Role Edit Page's Save function, allowing attackers to inject malicious scripts. Successful exploitation could lead to unauthorized access or modification of user data. The vulnerability is publicly disclosed and may be actively exploited.
An attacker exploiting CVE-2026-2972 can inject arbitrary JavaScript code into the Smart-SSO application. This code could be executed in the context of a user's browser, potentially allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the application is used to manage sensitive user data or access critical systems. This XSS vulnerability could be leveraged for phishing attacks or to gain persistent access to the application.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of a vendor response raises concerns about the timeliness of a patch. While the CVSS score is LOW, the potential for user data compromise and application defacement warrants immediate attention. No known active campaigns have been reported, but the public disclosure makes it a prime target for opportunistic attackers.
Organizations relying on Smart-SSO for single sign-on and identity management are at risk. This includes companies with legacy Smart-SSO deployments, those using the Role Edit Page for administrative tasks, and those who have not implemented robust input validation practices.
• java / server:
# Check for the vulnerable file
find /opt/smart-sso/smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/ -name UserController.java• generic web:
# Check response headers for XSS indicators
curl -I https://your-smart-sso-instance/admin/role-edit | grep -i 'x-xss-protection'disclosure
漏洞利用状态
EPSS
0.03% (7% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-2972 is to upgrade Smart-SSO to a version that addresses the vulnerability. As of this writing, no patched version has been released. Until a patch is available, implement strict input validation and output encoding on the Role Edit Page to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly review and update security policies and procedures.
升级 Smart-SSO 到 2.1.1 版本之后。如果不可用,请审查并清理 smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java 文件的 Save 函数中的用户输入,以防止恶意代码注入 (code injection)。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-2972 is a cross-site scripting (XSS) vulnerability affecting Smart-SSO versions 2.1.0 through 2.1.1. It allows attackers to inject malicious scripts via the Role Edit Page.
If you are using Smart-SSO versions 2.1.0 or 2.1.1, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
Upgrade to a patched version of Smart-SSO. Until a patch is released, implement input validation and output encoding, and consider using a WAF.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed and may be exploited by opportunistic attackers.
Due to the lack of vendor response, an official advisory may not be available. Monitor security news sources and the Smart-SSO community for updates.
上传你的 pom.xml 文件,立即知道是否受影响。