Yonyou UFIDA ERP-NC top.jsp cross site scripting

Vulnerability

The vulnerability is a reflected cross-site scripting (XSS) issue in the /help/top.jsp file of Yonyou UFIDA ERP-NC version 5.0. The langcode parameter is taken from the HTTP request (request.getParameter("langcode")) and embedded directly into the HTML output in several places — including within a ` style attribute using AlphaImageLoader and within tag href attributes — without proper sanitization or encoding [1]. This allows an attacker to inject arbitrary HTML and JavaScript code that will be executed in the victim's browser. No special configuration is needed; the vulnerable code path is reached simply by requesting the top.jsp file with a crafted langcode` parameter.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that includes a payload in the langcode parameter. The proof-of-concept provided shows ?langcode=1%22%3E%3Csvg%20onload=alert(1)%3E, which breaks out of the attribute context and executes JavaScript [1]. The attack can be launched remotely; no authentication or prior access to the ERP system is required. The exploit is triggered when a victim accesses the crafted URL — for example, via a phishing link or by browsing to a page that embeds the malicious URL — and the payload runs in the context of the user's session.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of a logged-in user. Depending on the browser's security context and same-origin policy, the attacker could potentially steal session cookies, read or modify page content, redirect users to malicious sites, or perform actions on behalf of the victim within the ERP-NC application. The impact is classified as problematic due to the need for user interaction (clicking the link) and the client-side nature of the attack, but it could lead to significant information disclosure or privilege escalation if combined with other weaknesses.

Mitigation

As of the publication date (2025-03-24), the vendor (Yonyou) has been contacted but has not responded or released a fix [1]. No patch or workaround is available from the vendor. Users of UFIDA ERP-NC 5.0 should restrict network access to the /help/ directory — especially top.jsp and systop.jsp — to trusted users only, implement a web application firewall (WAF) rule to filter malicious langcode values, and sanitize input server-side if custom code can be deployed. Because the product may be end-of-life or unmaintained, migration to a supported version or alternative solution is recommended.