CVE-2020-37014

CVE-2020-37014 is a persistent cross-site scripting (XSS) vulnerability in Tryton version 5.4. The flaw resides in the user profile name input field, where the application fails to properly sanitize user-supplied input before storing it. This allows an attacker to inject arbitrary script code into the name parameter [1][2].

Exploitation requires only low-privileged access to the Tryton web application. An attacker can submit a crafted POST request containing malicious JavaScript in the name field of the User Profile module. The injected payload is then stored on the server and executed whenever the profile name is rendered in the frontend user interface (e.g., the avatar area) or in the backend administration views [1][2].

Successful exploitation can lead to session hijacking, persistent phishing attacks, and redirection of users to malicious sites. Because the script executes in the context of the affected application, it can also be used to manipulate application modules or steal sensitive data [1][2].

The vulnerability was publicly disclosed in May 2020. The Tryton project released a security update addressing issue #9351, which likely patches this vulnerability. Users are advised to upgrade to a supported version [1].