CVE-2025-10386

Vulnerability

Overview

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the Yida ECMS Consulting Enterprise Management System version 1.0. It resides in the /login.do endpoint, specifically within the POST request handler. The root cause is insufficient input sanitization of the requestUrl parameter, allowing an attacker to inject arbitrary JavaScript payloads that are reflected back in the server's response [1].

Exploitation

Exploitation can be performed remotely without requiring authentication. An attacker crafts a POST request to /login.do with a malicious payload in the requestUrl parameter. The payload is reflected and executed in the victim's browser upon user interaction, such as a mouse hover event, as demonstrated by the proof-of-concept payload requestUrl="><a%09oNmOuseovEr+=+(confirm)()%0dx>v3dm0s [1].

Impact

Successful exploitation enables an attacker to perform actions on behalf of authenticated users, steal sensitive session data, or conduct phishing attacks against users of the OA system. This can lead to unauthorized access and data compromise [1].

Mitigation

The vendor was contacted but did not respond, and no official patch is available. Users are advised to implement input validation and output encoding for the requestUrl parameter, or deploy web application firewall (WAF) rules to block malicious payloads until a fix is released [1].