CVE-2020-37022

Vulnerability

Overview

The OpenZ ERP web-application version 3.6.60 is vulnerable to a persistent (stored) cross-site scripting (XSS) flaw in the Employee module. The inpname and inpdescripción parameters within the menu.html file are not properly sanitized before being saved and later rendered in the browser. This allows an attacker to inject arbitrary JavaScript code that will be executed for any user viewing the affected employee records [1][3].

Attack

Vector and Exploitation

The vulnerability can be exploited by any authenticated low-privilege user. The injection is performed via a POST request when adding or editing an employee's name or description. Because the script is stored on the server, the malicious payload executes automatically when a victim—such as a manager or administrator—views the employee's profile. This cross-site scripting attack is classified under CWE-79 and does not require any special network position beyond normal application access [1][3].

Impact

Successful exploitation enables an attacker to perform session hijacking by stealing the victim's session cookies, conduct persistent phishing attacks, redirect users to external malicious sites, or manipulate application modules on behalf of a higher-privilege user. This can lead to privilege escalation if an administrator's session is compromised [1][3].

Mitigation

Status

The vendor has not released a patched version addressing this specific vulnerability. The web application remains at risk, and users are advised to apply input validation and output encoding for the affected parameters or implement a web application firewall (WAF) to block malicious input until an official update is provided [1][2].