CVE-2026-2972: A466350665 Smart-SSO XSS Vulnerability

CVE-2026-2972 Overview

A stored Cross-Site Scripting (XSS) vulnerability has been identified in a466350665 Smart-SSO versions up to 2.1.1. This vulnerability affects the Save function within the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java of the Role Edit Page component. Successful exploitation allows an attacker to inject malicious scripts that execute in the context of other users' browser sessions.

Critical Impact

Authenticated administrators with elevated privileges can inject persistent malicious scripts into the Role Edit Page, potentially compromising other administrative users' sessions or stealing sensitive authentication data.

Affected Products

• a466350665 Smart-SSO versions up to 2.1.1
• Smart-SSO Role Edit Page component
• UserController.java Save function

Discovery Timeline

• 2026-02-23 - CVE-2026-2972 published to NVD
• 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2026-2972

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the Role Edit Page of the Smart-SSO server's administrative interface. The Save function in UserController.java fails to properly sanitize or encode user-supplied input before rendering it in the web page context.

The attack requires network access and elevated privileges (administrative access) to initially inject the malicious payload. However, once stored, the XSS payload can affect other users who access the compromised Role Edit Page, including other administrators. User interaction is required for the stored payload to execute in a victim's browser.

The vendor was contacted about this disclosure but did not respond, and the exploit has been publicly disclosed and may be utilized by threat actors.

Root Cause

The root cause of this vulnerability is insufficient input validation and output encoding in the Save function of the UserController.java file. When role data is submitted through the Role Edit Page, the application stores the user-provided input without proper sanitization. Subsequently, when this data is rendered back to users viewing the page, the malicious script content is included directly in the HTML response without encoding, allowing arbitrary JavaScript execution in the victim's browser context.

Attack Vector

The attack vector is network-based, requiring an authenticated attacker with administrative privileges to access the Role Edit Page. The attacker manipulates input fields in the role editing interface to inject malicious JavaScript code. This payload is stored server-side and subsequently executed whenever another user accesses the affected page.

The vulnerability manifests in the role data handling within the Save function of UserController.java. An attacker can inject JavaScript payloads through role-related form fields that are not properly sanitized before being stored and rendered. For detailed technical analysis and proof-of-concept information, see the Notion SSO XSS Analysis documentation.

Detection Methods for CVE-2026-2972

Indicators of Compromise

• Unexpected JavaScript code or HTML tags present in role name or description fields in the database
• Browser console errors or unusual script execution when accessing the Role Edit Page
• Unexplained network requests to external domains originating from administrator sessions
• Session tokens or credentials appearing in unexpected HTTP requests or logs

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect XSS patterns in POST requests to the Role Edit endpoint
• Monitor application logs for requests containing script tags, event handlers, or encoded JavaScript patterns
• Deploy browser-based Content Security Policy (CSP) violation reporting to detect unauthorized script execution
• Conduct periodic database audits to identify stored payloads containing suspicious HTML or JavaScript content

Monitoring Recommendations

• Enable detailed logging for all administrative actions on the Role Edit Page
• Configure alerting for unusual patterns in role data modifications
• Implement real-time monitoring for CSP violations on administrative interfaces
• Review access logs for the UserController endpoint for anomalous activity patterns

How to Mitigate CVE-2026-2972

Immediate Actions Required

• Restrict access to the Role Edit Page to only essential administrative personnel
• Implement a Web Application Firewall (WAF) with XSS filtering rules as an interim protection measure
• Audit existing role data in the database for any malicious script content and sanitize affected records
• Enable Content Security Policy (CSP) headers to mitigate the impact of potential XSS exploitation

Patch Information

At the time of publication, the vendor (a466350665) has not released an official patch for this vulnerability. The vendor was contacted about this disclosure but did not respond. Organizations using Smart-SSO should monitor the project repository for security updates and consider alternative SSO solutions if the vulnerability remains unpatched. For additional context, refer to VulDB #347339.

Workarounds

• Implement server-side input validation to reject or encode HTML/JavaScript in role-related fields
• Deploy output encoding libraries to ensure all user-supplied data is HTML-encoded before rendering
• Configure strict Content Security Policy headers to prevent inline script execution
• Consider implementing a custom input sanitization filter for the affected UserController.java endpoints

# Example CSP header configuration for Apache
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'self';"

# Example CSP header configuration for Nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'self';" always;