平台
javascript
组件
notice-form-drawer-vue
修复版本
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
3.8.1
3.9.1
3.10.1
3.11.1
3.12.1
3.13.1
3.14.1
3.15.1
3.16.1
3.17.1
3.18.1
3.19.1
3.20.1
3.21.1
3.22.1
3.23.1
3.24.1
3.25.1
3.26.1
3.27.1
3.28.1
3.29.1
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
3.8.1
3.9.1
3.10.1
3.11.1
3.12.1
3.13.1
3.14.1
3.15.1
3.16.1
3.17.1
3.18.1
3.19.1
3.20.1
3.21.1
3.22.1
3.23.1
3.24.1
3.25.1
3.26.1
3.27.1
3.28.1
3.29.1
CVE-2026-3720 describes a cross-site scripting (XSS) vulnerability discovered in 1024-lab SmartAdmin versions 3.0 through 3.29. This flaw impacts the Notice Module, specifically the notice-form-drawer.vue component, allowing attackers to inject malicious scripts. A public proof-of-concept exists, indicating a potential for active exploitation. Mitigation involves upgrading to a patched version when available.
Successful exploitation of CVE-2026-3720 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session within the SmartAdmin application. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the application's user interface. The attacker could potentially steal sensitive data entered by users within the Notice Module, such as internal communications or project updates. Given the web-based nature of the application, the blast radius extends to any user accessing the vulnerable component, potentially impacting a wide range of individuals within an organization.
CVE-2026-3720 has a LOW CVSS score of 3.5. A public proof-of-concept has been released, indicating a moderate risk of exploitation. The vulnerability was disclosed on 2026-03-08, and the vendor has not yet responded. Active exploitation is possible given the availability of a PoC.
Organizations utilizing 1024-lab SmartAdmin versions 3.0 through 3.29 are at risk. Specifically, users who interact with the Notice Module are vulnerable to exploitation. Shared hosting environments where multiple users share the same SmartAdmin instance are particularly susceptible.
• javascript / web: Inspect network traffic for unusual JavaScript payloads originating from the notice-form-drawer.vue component. • generic web: Examine access logs for requests containing suspicious characters or patterns commonly associated with XSS attacks. • generic web: Review response headers for the presence of Content-Security-Policy (CSP) directives that could mitigate XSS vulnerabilities.
disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-3720 is to upgrade to a patched version of 1024-lab SmartAdmin. As of the publication date, no patch has been released. Until a patch is available, consider implementing input validation and output encoding on the notice-form-drawer.vue component to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Monitor application logs for suspicious activity, such as unusual JavaScript execution patterns.
将 SmartAdmin 更新到 3.9 版本之后。如果不可用,请检查 smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue 中的代码并修复 XSS 漏洞。确保在将其渲染到页面之前对用户输入进行转义或清理。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3720 is a cross-site scripting (XSS) vulnerability affecting 1024-lab SmartAdmin versions 3.0–3.29, allowing attackers to inject malicious scripts via the Notice Module.
If you are using 1024-lab SmartAdmin versions 3.0 through 3.29, you are potentially affected by this vulnerability. Check your version and upgrade when a patch is available.
The recommended fix is to upgrade to a patched version of 1024-lab SmartAdmin. Until a patch is released, implement input validation and output encoding.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your application for suspicious activity.
As of the publication date, no official advisory has been released by 1024-lab. Monitor their website and security mailing lists for updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。