Yonyou UFIDA ERP-NC login.jsp cross site scripting
Description
Yonyou UFIDA ERP-NC 5.0 login.jsp contains reflected XSS via unsanitized key/redirect parameters, allowing remote unauthenticated script injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yonyou UFIDA ERP-NC 5.0 login.jsp contains reflected XSS via unsanitized key/redirect parameters, allowing remote unauthenticated script injection.
Vulnerability
A reflected Cross-Site Scripting (XSS) vulnerability exists in Yonyou UFIDA ERP-NC version 5.0, specifically in the /login.jsp file [1]. The key and redirect parameters are directly embedded into the HTML response without sanitization or escaping, as shown in the source: LOGINKEY='<%=request.getParameter("key")==null?"":request.getParameter("key")%>' and redirect='<%=request.getParameter("redirect")==null?"Y":request.getParameter("redirect")%>' [1]. This affects the default installation with no special configuration required.
Exploitation
An unauthenticated attacker can craft a malicious URL containing JavaScript payloads in either the key or redirect parameter. The attack is performed remotely by convincing a victim to visit a crafted link to the login.jsp page, which triggers the script execution in the victim's browser. The exploit details have been publicly disclosed [1].
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session on the ERP-NC application. This can lead to session hijacking, credential theft, or defacement of the login page. The impact is limited to the browser context of the user, but no authentication is bypassed.
Mitigation
As of publication, Yonyou has not released a patch or responded to the disclosure [1]. No official mitigation is available. Administrators should restrict network access to the login page and consider using a web application firewall (WAF) to block malicious parameter patterns until a fix is provided.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper output encoding of the `key` and `redirect` parameters in `/login.jsp` allows reflected cross-site scripting."
Attack vector
An attacker crafts a malicious URL targeting the `/login.jsp` page and injects JavaScript payloads via the `key` or `redirect` parameters. Because these parameters are inserted directly into the HTML without escaping, the injected script executes in the victim's browser context. The attack is remote and requires no authentication; the victim simply needs to visit the crafted link [ref_id=1].
Affected code
The vulnerability resides in `/login.jsp`. The `key` and `redirect` parameters are retrieved via `request.getParameter()` and directly embedded into the HTML output without sanitization or escaping, as shown in the lines `LOGINKEY='<%=request.getParameter("key")==null?"":request.getParameter("key")%>'` and `redirect='<%=request.getParameter("redirect")==null?"Y":request.getParameter("redirect")%>'` [ref_id=1].
What the fix does
No patch is available; the vendor did not respond to the disclosure [ref_id=1]. The remediation would require proper output encoding or sanitization of the `key` and `redirect` parameters before embedding them in the HTML response, preventing injected script content from being interpreted as executable code.
Preconditions
- inputThe victim must visit a crafted URL pointing to the target's /login.jsp page
- authNo authentication is required
- configThe target must be running Yonyou UFIDA ERP-NC 5.0
Reproduction
1. Identify a target running Yonyou UFIDA ERP-NC 5.0. 2. Craft a URL using the `key` parameter: `http(s)://target-ip/login.jsp?key=hebing%27%3E%3Csvg%20onload=alert(document.cookie)%3E` 3. Alternatively, craft a URL using the `redirect` parameter: `http(s)://target-ip/login.jsp?redirect=hebing%27%3E%3Csvg%20onload=alert(document.cookie)%3E` 4. When a victim visits either URL, the injected JavaScript executes in their browser [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/Hebing123/cve/issues/84mitreexploitissue-tracking
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.