CVE-2020-37014
Unknown Unknown - Not Provided
Persistent XSS in Tryton 5.4 User Profile Name Field

Publication date: 2026-01-30

Last updated on: 2026-01-30

Assigner: VulnCheck

Description
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-14
NVD
CVE-2020-37014
EUVD
EUVD-2020-30960
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tryton tryton 5.4
tryton tryton 6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-37014 is a persistent cross-site scripting (XSS) vulnerability in Tryton 5.4, specifically in the user profile name input field. It allows remote attackers with low privileges to inject malicious scripts into the 'name' parameter of user profiles. These scripts then execute persistently in both the frontend user interface (near the user avatar) and the backend admin interface. The vulnerability arises due to insufficient input validation and sanitization of the name field, enabling attackers to inject script payloads that can execute whenever the affected user profile is viewed. [2, 3]

Impact Analysis

Exploitation of this vulnerability can lead to session hijacking, persistent phishing attacks, external redirects to malicious sites, and manipulation of application modules within Tryton. Because the malicious script executes in both user and admin interfaces, attackers can potentially compromise user sessions, steal sensitive information, or perform unauthorized actions. The attack requires only low privileges and minimal user interaction, making it a significant risk for users of Tryton 5.4. [2, 3]

Detection Guidance

This vulnerability can be detected by checking for persistent cross-site scripting (XSS) payloads in the user profile name field. A practical approach is to log in as a low-privileged user, modify the user profile name field with a test script payload (e.g., an image tag with an onload JavaScript event), and observe if the script executes in the frontend user interface (near the user avatar) or in the backend admin interface under the user model views. Detection involves sending a POST request to update the user profile name and monitoring the application behavior for script execution. Specific commands would involve using tools like curl or Postman to send crafted POST requests to the user profile endpoint and inspecting the response or UI for script execution. [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting user privileges to prevent low-privileged users from modifying the user profile name field, applying input validation and sanitization on the name field to prevent script injection, and updating Tryton to a patched version if available. Since the vulnerability arises from insufficient input validation, ensuring proper escaping and sanitization of user input in the profile name field is critical. Monitoring and auditing user profile changes for suspicious input can also help mitigate exploitation. [2, 3]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart