Yonyou UFIDA ERP-NC menu.jsp cross site scripting
Description
A reflected XSS vulnerability in Yonyou UFIDA ERP-NC 5.0's menu.jsp allows remote attackers to inject arbitrary JavaScript via the flag parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in Yonyou UFIDA ERP-NC 5.0's menu.jsp allows remote attackers to inject arbitrary JavaScript via the flag parameter.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in Yonyou UFIDA ERP-NC version 5.0. The flaw resides in the /menu.jsp page, where the flag parameter is taken from the URL and directly embedded into a JavaScript function call without any sanitization or encoding. The vulnerable code snippet shows PageId being used in opentree('<%=PageId%>','<%=topNodes%>'); [1]. This allows an attacker to inject arbitrary HTML and JavaScript.
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication. The attack involves crafting a malicious URL that includes a flag parameter containing a JavaScript payload, such as %3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E. When a victim visits this URL, the injected script executes in the context of the victim's browser session [1]. No user interaction beyond clicking the link is needed.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of sensitive data, defacement of the application interface, or further attacks against the victim's session. The impact is limited to the browser context and the privileges of the authenticated user if the victim is logged in.
Mitigation
As of the publication date, the vendor (Yonyou) has not responded to the disclosure and no official patch or fix has been released [1]. Users are advised to implement input validation and output encoding for the flag parameter, restrict network access to the ERP-NC application, or deploy a web application firewall (WAF) to block malicious payloads until a vendor-supplied update becomes available.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied input in the 'flag' parameter is not properly sanitized before being included in HTML output."
Attack vector
An attacker can exploit this vulnerability by crafting a malicious URL that includes a specially designed 'flag' parameter. This parameter contains JavaScript code, which is then reflected directly into the HTML response. The vulnerability is present in the `/menu.jsp` page and can be initiated remotely. The provided Proof of Concept demonstrates injecting script tags to execute arbitrary JavaScript in the victim's browser [ref_id=1].
Affected code
The vulnerability resides in the `/menu.jsp` file. Specifically, the code snippet shows that the `PageId` parameter, obtained from `request.getParameter("flag")`, is directly embedded into a JavaScript function call `opentree('<%=PageId%>','<%=topNodes%>');` without any sanitization [ref_id=1].
What the fix does
The advisory does not provide information about a patch or specific remediation steps. It only states that the vendor was contacted and did not respond. Therefore, no fix explanation can be provided.
Preconditions
- networkThe vulnerable application must be accessible over the network.
- inputThe attacker must be able to control the value of the 'flag' parameter in the URL.
Reproduction
http(s)://target-ip/menu.jsp?flag=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E [ref_id=1]
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/Hebing123/cve/issues/85mitreexploitissue-tracking
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.