一、 漏洞 CVE-2026-1134 基础信息
漏洞信息
# itsourcecode 社会管理系统 XSS 漏洞
## 概述
A cross-site scripting (XSS) vulnerability exists in itsourcecode Society Management System 1.0, specifically within the `/admin/expenses.php` file. The vulnerability is triggered by manipulating the `detail` parameter.
## 影响版本
itsourcecode Society Management System 1.0
## 细节
The vulnerability is located in the `detail` parameter processed by `/admin/expenses.php`. Insufficient input validation or output encoding allows malicious scripts to be injected and executed in the browser of an authenticated user accessing the admin interface.
## 影响
The vulnerability enables remote attackers to perform cross-site scripting attacks, potentially leading to session hijacking, unauthorized actions, or data theft. Exploitation requires access to the admin panel, but the exploit is publicly available, increasing the risk of active use.
神龙判断
是否为 Web 类漏洞: 未知
判断理由:
N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
itsourcecode Society Management System expenses.php cross site scripting
来源:美国国家漏洞数据库 NVD
漏洞描述信息
A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
来源:美国国家漏洞数据库 NVD
二、漏洞 CVE-2026-1134 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
三、漏洞 CVE-2026-1134 的情报信息
标题: itsourcecode Society Management System Project V1.0 /admin/expenses.php cross site scripting · Issue #7 · TEhS411/cve -- 🔗来源链接
标签:exploitissue-tracking
神龙速读:### 关键漏洞信息 #### 影响的产品 - **Society Management System** #### 版本 - **V1.0** #### 软件链接 - [Society Management System Project](https://itsourcecode.com/free-projects/php-project/society-management-system-project-in-php-free-download/) #### 漏洞类型 - **XSS** #### 根因 - 在 `/admin/expenses.php` 文件中发现了XSS漏洞,源自于缺乏对`detail`参数的适当编码和过滤。 #### 漏洞位置 - `detail` 参数 #### 漏洞详情和POC - ```html <script>alert('XSS')</script> ``` #### 建议修复措施 1. **输出编码**: 当用户输入输出至网页时进行编码处理。 2. **输入验证和过滤**: 确保仅允许符合期望格式的输入。 3. **使用CSP**: 实施内容安全策略以限制可执行脚本源。 4. **安全Cookie设置**: 使用 HttpOnly 和 Secure 标志增强Cookie安全性。 5. **定期安全审计**: 定期执行代码和系统安全审计。
标题: Itsourcecode.com - Partner In Your Coding Journey! -- 🔗来源链接
标签:product
- https://vuldb.com/?ctiid.341724signaturepermissions-required
标题: Submit #735156: itsourcecode Society Management System V1.0 cross site scripting -- 🔗来源链接
标签:third-party-advisory
神龙速读:## 漏洞关键信息 - **Title**: itsourcecode Society Management System V1.0 cross site scripting - **Description**: - Critical XSS vulnerability in `/admin/expenses.php`. - Insufficient user input validation and output encoding of the 'detail' parameter. - Allows attackers to inject malicious script code. - Can execute arbitrary scripts, steal sensitive information, and perform actions on behalf of the victim. - **Submission**: - Date: 01/09/2026 09:42 AM - User: T3h5 (UID 83651) - Source: https://github.com/TEhS411/cve/issues/7 - **Moderation**: - Date: 01/18/2026 08:16 AM - Status: Accepted - VulDB Entry: 341724 - Points: 20
- https://vuldb.com/?id.341724vdb-entrytechnical-description
- https://nvd.nist.gov/vuln/detail/CVE-2026-1134
四、漏洞 CVE-2026-1134 的评论
暂无评论