A flaw in the Society Management System 1.0 allows an attacker to manipulate the ‘detail’ argument sent to the /admin/expenses.php endpoint, leading to reflected cross‑site scripting. The vulnerability enables execution of arbitrary scripts in the victim’s browser, which can be used to hijack sessions, deface content, or perform further client‑side attacks. The description also references CWE‑94, implying a potential for code injection if the input is not properly sanitized. The impact is mainly on confidentiality and integrity of session data, and availability through possible denial‑of‑service via client‑side errors, as can be inferred from the XSS nature of the flaw.

The vulnerable product is the itsourcecode Society Management System, version 1.0, distributed by itsourcecode. No other versions or sub‑products are referenced, and the known CPE indicates the same product and version. It is therefore required to check only this installation for the flaw.

The CVSS score of 5.3 places the issue in the medium severity range, while the EPSS score of less than 1 % indicates a very low but non‑zero probability of exploitation. The attack can be launched remotely through standard HTTP requests, and the exploit is publicly available as noted in the advisory. Because the vulnerability is not listed in the CISA KEV catalog, it is not currently known to be actively exploited on a large scale, yet the presence of the public exploit suggests that attackers with moderate resources could target vulnerable installations.