CVE-2020-37014
Persistent XSS in Tryton 5.4 User Profile Name Field
Publication date: 2026-01-30
Last updated on: 2026-01-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tryton | tryton | 5.4 |
| tryton | tryton | 6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2020-37014 is a persistent cross-site scripting (XSS) vulnerability in Tryton 5.4, specifically in the user profile name input field. It allows remote attackers with low privileges to inject malicious scripts into the 'name' parameter of user profiles. These scripts then execute persistently in both the frontend user interface (near the user avatar) and the backend admin interface. The vulnerability arises due to insufficient input validation and sanitization of the name field, enabling attackers to inject script payloads that can execute whenever the affected user profile is viewed. [2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to session hijacking, persistent phishing attacks, external redirects to malicious sites, and manipulation of application modules within Tryton. Because the malicious script executes in both user and admin interfaces, attackers can potentially compromise user sessions, steal sensitive information, or perform unauthorized actions. The attack requires only low privileges and minimal user interaction, making it a significant risk for users of Tryton 5.4. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for persistent cross-site scripting (XSS) payloads in the user profile name field. A practical approach is to log in as a low-privileged user, modify the user profile name field with a test script payload (e.g., an image tag with an onload JavaScript event), and observe if the script executes in the frontend user interface (near the user avatar) or in the backend admin interface under the user model views. Detection involves sending a POST request to update the user profile name and monitoring the application behavior for script execution. Specific commands would involve using tools like curl or Postman to send crafted POST requests to the user profile endpoint and inspecting the response or UI for script execution. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting user privileges to prevent low-privileged users from modifying the user profile name field, applying input validation and sanitization on the name field to prevent script injection, and updating Tryton to a patched version if available. Since the vulnerability arises from insufficient input validation, ensuring proper escaping and sanitization of user input in the profile name field is critical. Monitoring and auditing user profile changes for suspicious input can also help mitigate exploitation. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.