CVE-2025-2709 Scanner
CVE-2025-2709 Scanner - Cross-Site Scripting (XSS) vulnerability in Yonyou UFIDA ERP-NC
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
12 days 22 hours
Scan only one
URL
Toolbox
-
Yonyou UFIDA ERP-NC is an enterprise resource planning software widely used by businesses for managing resources efficiently. It is designed to integrate various business processes such as finance, sales, procurement, and human resources. The software is utilized by enterprises to streamline operations and improve productivity. Organizations rely on its robust features to handle complex data and operations. It supports scalability and customization to meet the diverse needs of different industries. As a critical business tool, it requires secure implementation to protect sensitive data.
Cross-Site Scripting (XSS) is a common security vulnerability that enables attackers to inject malicious scripts into web pages. This vulnerability typically occurs when user-generated input is not properly sanitized before being included in output. As a result, attackers can execute arbitrary scripts in the user's browser. This can lead to credential theft, session hijacking, and other malicious actions. Ensuring web applications are free from XSS vulnerabilities is crucial for maintaining user trust and data integrity. Yonyou UFIDA ERP-NC V5.0 is vulnerable through its login.jsp endpoint, allowing reflected XSS attacks.
The XSS vulnerability in Yonyou UFIDA ERP-NC V5.0 is located in the login.jsp script, specifically through the key and redirect parameters. Unsanitized user input is reflected in the application response, leading to the potential execution of arbitrary JavaScript. This occurs when crafted URLs are accessed, which injects scripts that run within the user's context. The lack of input validation in these parameters is the primary cause. Attackers exploit this to execute malicious code, typically for phishing or data theft purposes. Proper input validation and output encoding are essential mitigations.
If exploited by attackers, the Cross-Site Scripting vulnerability could have several detrimental outcomes. Users could be redirected to malicious websites, leading to potential credential theft or malware distribution. Attackers might perform session hijacking by stealing session cookies, gaining unauthorized access to user accounts. They may also manipulate application behavior for malicious purposes or carry out phishing attacks disguised as legitimate content. Hence, unpatched systems can present significant security risks to businesses relying on Yonyou UFIDA ERP-NC for daily operations.
REFERENCES
