Yonyou UFIDA ERP-NC systop.jsp cross site scripting
Description
A reflected XSS vulnerability in Yonyou UFIDA ERP-NC 5.0 via langcode parameter in /help/systop.jsp allows remote attackers to inject arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in Yonyou UFIDA ERP-NC 5.0 via langcode parameter in /help/systop.jsp allows remote attackers to inject arbitrary JavaScript.
Vulnerability
The vulnerability is a reflected Cross-Site Scripting (XSS) issue in Yonyou UFIDA ERP-NC version 5.0. The langcode parameter in the file /help/systop.jsp is directly inserted into the HTML output without proper sanitization or encoding, as shown in the source code where <%=sLangcode%> is used in a script and a DIV element [1].
Exploitation
An attacker can exploit this by crafting a malicious URL containing a payload in the langcode parameter, such as ?langcode=1%22%3E%3Csvg%20onload=alert(1)%3E. No authentication is required, and the attack can be conducted remotely. However, user interaction is needed as the victim must click the crafted link for the script to execute in their browser [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, cookie theft, defacement, or other malicious actions performed on behalf of the victim within the affected ERP-NC application [1].
Mitigation
As of the publication date, the vendor has not responded or released a patch. Users are advised to implement input validation and output encoding for the langcode parameter, or restrict access to the vulnerable pages through network controls. No fixed version has been announced [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `langcode` parameter is directly embedded into the HTML output without proper sanitization, leading to cross-site scripting."
Attack vector
An attacker can craft a URL that includes a malicious payload within the `langcode` parameter. When a victim visits this URL, the application embeds the payload into the HTML response. This payload is then executed in the victim's browser, as the `langcode` parameter is used directly in JavaScript and HTML contexts without encoding or sanitization [ref_id=1]. The attack can be launched remotely by sending a crafted link to the victim.
Affected code
The vulnerability exists in the `/help/systop.jsp` and `/help/top.jsp` files. Specifically, the `langcode` parameter is retrieved using `request.getParameter("langcode")` and then directly inserted into the HTML and JavaScript code, such as in the `AlphaImageLoader` filter and within a JavaScript function, without any sanitization or encoding [ref_id=1].
What the fix does
The patch is not available in the provided information. The advisory recommends sanitizing or encoding the `langcode` parameter before it is used in the HTML output to prevent the injection of arbitrary JavaScript code [ref_id=1]. Without a patch, the vulnerability remains exploitable.
Preconditions
- networkThe attacker can reach the vulnerable web application over the network.
- inputThe attacker must be able to control the value of the `langcode` parameter.
Reproduction
http://target-ip/help/top.jsp?langcode=1%22%3E%3Csvg%20onload=alert(1)%3E http://target-ip/help/top.jsp?langcode=1%22%3E%3C/script%3E%3Csvg%20onload=alert(1)%3E http://target-ip/help/systop.jsp?langcode=1%22%3E%3Csvg%20onload=alert(1)%3E http://target-ip/help/systop.jsp?langcode=1%22%3E%3C/script%3E%3Csvg%20onload=alert(1)%3E [ref_id=1]
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/Hebing123/cve/issues/86mitreexploitissue-tracking
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.