CVE-2020-37022

MEDIUM

OpenZ ERP 3.6.60 - Stored Cross-Site Scripting in Employee Module Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37022. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in OpenZ ERP 3.6.60 via the `inpname` and `inpdescription` parameters in the Employee module. The PoC includes a crafted POST request with malicious iframe injection, which executes when viewed in the application.

Description

OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules.

Exploits (1)

exploitdb WORKING POC

by Vulnerability-Lab · textwebappsphp

https://www.exploit-db.com/exploits/48450

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in OpenZ ERP 3.6.60 via the `inpname` and `inpdescription` parameters in the Employee module. The PoC includes a crafted POST request with malicious iframe injection, which executes when viewed in the application.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: OpenZ ERP v3.6.60

Auth required

Prerequisites: Low-privileged user account in OpenZ ERP · Access to the Employee module

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/48450

Various Sources product

https://www.openz.de/

Various Sources product

https://www.openz.de/download.html

Various Sources third-party-advisory

https://www.vulnerability-lab.com/get_content.php?id=2234

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/openz-erp-persistent-cross-site-scripting

Scores

CVSS v3 6.4

EPSS 0.0025

EPSS Percentile 16.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published Jan 30, 2026

Tracked Since Feb 18, 2026