CVE-2025-2711 Scanner

Yonyou UFIDA ERP-NC is a comprehensive Enterprise Resource Planning system widely used by businesses to optimize and streamline their operations. It is typically used by large and medium-sized enterprises in various industries, including finance, manufacturing, and supply chain management, to integrate and manage business processes across functions. Companies choose ERP-NC to increase efficiency, reduce costs, and gain insights into their business operations through consolidated data. The system comprises modules that cover areas such as finance, human resources, procurement, and logistics, allowing for customizable configurations to meet specific business needs. Users range from IT staff responsible for implementation and maintenance to department heads and employees who utilize the system's functionalities for daily operations. The broad usage of ERP-NC makes it crucial for maintaining data security and privacy across the organization.

Cross-Site Scripting (XSS) is a common vulnerability affecting web applications, where malicious scripts are executed in another user's browser. In the case of Yonyou UFIDA ERP-NC, this vulnerability arises from unsanitized inputs being used in the system's help JSP files. Attackers can leverage this flaw by injecting malicious scripts that execute within the context of the victim's session. This could result in the compromise of user accounts, theft of cookies, or unauthorized actions performed on the user's behalf. The vulnerability specifically affects the langcode parameter, which does not properly sanitize user input before rendering it on the client side. XSS attacks can be particularly damaging in enterprise environments as they can propagate unauthorized access and data breaches.

The vulnerability lies in the /help/systop.jsp and /help/top.jsp files within Yonyou UFIDA ERP-NC version 5.0. The affected parameter, langcode, is not adequately validated for dangerous characters or script tags, thereby allowing attackers to inject client-side scripts. Exploiting this vulnerability entails crafting a malicious request that triggers JavaScript execution when accessed by victims through their web browsers. The identified payloads demonstrate this by using an SVG tag with an onload event handler designed to alert the document domain. A key technical detail is that this payload ensures detection by targeting behaviors indicative of unsanitized content rendering, proving the response surface susceptible to manipulation.

When exploited, this XSS vulnerability can have severe implications for businesses relying on Yonyou UFIDA ERP-NC. Possible effects include unauthorized access to sensitive data, such as user credentials, through session hijacking, where attackers gain control over users' browsers. Attackers could also inject misleading content or redirect users to malicious sites, leading to further security breaches. Furthermore, if an attacker gains administrative access, they could alter system settings or extract confidential business data, disrupting operations. The financial and reputational damage from such attacks can be extensive, emphasizing the need for prompt remediation and effective security measures.

REFERENCES

• https://github.com/Hebing123/cve/issues/86
• https://nvd.nist.gov/vuln/detail/CVE-2025-2711