CVE-2020-37014

MEDIUM

Tryton < 5.4 - Stored Cross-Site Scripting via User Profile Name Input

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37014. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Tryton 5.4, where malicious script code can be injected into the 'name' parameter of the User Profile module, leading to session hijacking or phishing attacks.

Description

Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.

Exploits (1)

exploitdb WORKING POC
by Vulnerability-Lab · textwebappsphp
https://www.exploit-db.com/exploits/48466

This exploit demonstrates a persistent XSS vulnerability in Tryton 5.4, where malicious script code can be injected into the 'name' parameter of the User Profile module, leading to session hijacking or phishing attacks.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Tryton 5.4
Auth required
Prerequisites: Low-privileged user account · Access to the User Profile module
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48466
Various Sources product
https://www.tryton.org/
Various Sources product
https://www.tryton.org/download
Various Sources third-party-advisory
https://www.vulnerability-lab.com/get_content.php?id=2233

Scores

CVSS v3 6.4
EPSS 0.0031
EPSS Percentile 22.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Tryton/Tryton < 5.4
Published Jan 30, 2026
Tracked Since Feb 18, 2026