CVE-2025-10386 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the Yida ECMS Consulting Enterprise Management System. The vulnerability exists in the POST request handler of the /login.do endpoint, specifically through the manipulation of the 'requestUrl' parameter. An attacker can craft a malicious request that injects executable scripts into the web application, which are then executed in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication, and user interaction is necessary to trigger the malicious script, typically by a victim clicking a crafted link or submitting a form. The vulnerability has a CVSS v4.0 base score of 5.3, indicating a medium severity level. The vendor was notified but has not responded or issued a patch, and while no exploits are currently known to be actively used in the wild, proof-of-concept code has been publicly disclosed, increasing the risk of exploitation. The lack of vendor response and patch availability means that affected systems remain vulnerable. XSS vulnerabilities can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, impacting the confidentiality and integrity of user data and potentially damaging organizational reputation.

For European organizations using Yida ECMS Consulting Enterprise Management System 1.0, this vulnerability poses a moderate risk. Exploitation could allow attackers to execute arbitrary scripts in the browsers of users interacting with the affected login page, potentially leading to theft of session cookies, user credentials, or other sensitive information. This can facilitate unauthorized access to enterprise systems or data breaches. Given that ECMS systems often handle enterprise management data, the compromise could extend to internal business processes and sensitive consulting information. Additionally, successful exploitation could enable attackers to conduct phishing or social engineering campaigns leveraging the trusted enterprise domain. The absence of a vendor patch increases the window of exposure. European organizations with external-facing portals or remote users are particularly at risk, as attackers can exploit the vulnerability remotely. The impact on availability is minimal, but confidentiality and integrity risks are significant enough to warrant attention.

Since no official patch is available, European organizations should implement several practical mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'requestUrl' parameter on /login.do endpoints. 2) Conduct input validation and output encoding at the application level if source code access is available, sanitizing all user-supplied inputs to prevent script injection. 3) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of XSS attacks. 4) Educate users about the risks of clicking untrusted links and encourage cautious behavior when interacting with login pages. 5) Monitor web server and application logs for suspicious POST requests containing unusual or encoded script content targeting the vulnerable parameter. 6) Consider isolating or restricting access to the affected ECMS system to trusted networks or VPNs until a vendor patch is released. 7) Engage with the vendor or community to track any updates or patches and apply them promptly once available.