CVE-2025-2712 Scanner

Yonyou UFIDA ERP-NC is a comprehensive enterprise resource planning solution commonly used by organizations to manage various business processes and resources efficiently. It is popular among large enterprises for handling operations such as finance, supply chain, human resources, and customer relationship management. The software allows for seamless integration and data flow across departments, enabling businesses to optimize performance and streamline their operations. With its scalability and robust functionality, Yonyou UFIDA ERP-NC is a preferred choice for businesses aiming to improve productivity and decision-making. The integration capabilities with other systems and applications make it adaptable to various organizational needs. Its user-friendly interface and extensive functionalities cater to diverse business environments, making it suitable for global operations.

Cross-Site Scripting (XSS) is a vulnerability where attackers inject malicious scripts into web pages viewed by other users. This allows attackers to bypass access controls such as the same-origin policy, leading to unauthorized activities. The vulnerability permits execution of arbitrary web scripts in the context of the affected site, compromising data confidentiality, integrity, and availability. Reflected XSS occurs when a script is reflected off a web server, often via a URL query string. This vulnerability is a result of insufficient input validation and improper sanitization of user inputs. It poses a security threat as it can exploit users' trust in a legitimate site.

The vulnerability in Yonyou UFIDA ERP-NC V5.0 allows for reflected XSS through unsanitized user input in the 'langcode' parameter. The vulnerable endpoints, /help/systop.jsp and /help/top.jsp, reflect the input directly back to the user interface. Malicious actors can exploit this by crafting specially crafted URLs containing JavaScript payloads. The application executes these scripts on users who open the crafted URL, potentially exposing sensitive information. Injection of arbitrary scripts can be achieved, leading to the execution of unwanted actions in the context of the affected user session. Exploitable through web browser interactions, it demands no special privileges, making the attack vector broad.

Exploitation of the XSS vulnerability can have severe effects such as data theft and unauthorized actions on behalf of users. Malicious scripts can capture cookies, session IDs, and other sensitive data, leading to identity theft and unauthorized account access. The vulnerability might facilitate phishing attacks where attackers impersonate trusted sites. Disruption of website functionality and user redirection to malicious sites are other potential impacts. Additionally, it can damage a company's reputation and erode consumer trust due to perceived insecurity. Organizations might face legal ramifications and financial losses as a result of breached customer data.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2025-2712