Invia #517306: Yonyou UFIDA ERP-NC V5.0 Cross Site Scriptinginformazioni

TitoloYonyou UFIDA ERP-NC V5.0 Cross Site Scripting
DescrizioneSummary A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Yonyou UFIDA ERP-NC V5.0. This vulnerability allows an attacker to inject malicious JavaScript code into the application, which is then executed in the context of the victim's browser. The vulnerability is present in the menu.jsp page, where user-supplied input is not properly sanitized before being included in the HTML output. Details The vulnerability exists in the menu.jsp page of the Yonyou UFIDA ERP-NC V5.0 application. The flag parameter, which is passed via the URL, is directly included in the HTML output without proper sanitization. This allows an attacker to inject arbitrary JavaScript code, which is then executed in the context of the victim's browser. ··· <%String PageId = request.getParameter("flag");%> ··· <%if (PageId!=null){%> <SCRIPT language=JavaScript>opentree('<%=PageId%>','<%=topNodes%>');</SCRIPT> <%}%> ··· In the above code snippet, the PageId parameter is directly embedded into a JavaScript function call without any sanitization. This allows an attacker to inject malicious JavaScript code by manipulating the flag parameter in the URL. POC http(s)://target-ip/menu.jsp?flag=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
Fonte⚠️ https://github.com/Hebing123/cve/issues/85
Utente
 jiashenghe (UID 39445)
Sottomissione10/03/2025 06:34 (1 Anno fa)
Moderazione24/03/2025 12:29 (14 days later)
StatoAccettato
Voce VulDB300731 [Yonyou UFIDA ERP-NC 5.0 /menu.jsp flag cross site scripting]
Punti20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!