CVE-2020-37022 in ERP
Summary
by MITRE • 01/30/2026
OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/30/2026
The vulnerability identified as CVE-2020-37022 represents a critical persistent cross-site scripting flaw within OpenZ ERP version 3.6.60, specifically affecting the Employee module. This weakness exists in the handling of name and description parameters, creating a pathway for attackers to execute malicious scripts within the context of the vulnerable application. The vulnerability stems from insufficient input validation and output encoding mechanisms that fail to properly sanitize user-supplied data before it is processed and rendered back to users. The flaw is particularly concerning as it allows attackers to inject malicious code through POST requests, which can then persist in the application's database and execute whenever affected pages are loaded.
The technical exploitation of this vulnerability follows a standard XSS attack pattern where malicious input is submitted through the Employee module's name and description fields. When these parameters are processed and stored without proper sanitization, the injected scripts become part of the application's persistent data. Subsequent requests to the employee module pages will execute these malicious scripts in the context of authenticated users' browsers, potentially leading to session hijacking, privilege escalation, or data manipulation. The vulnerability's persistence means that the malicious code remains active even after the initial injection, making it particularly dangerous as it can affect multiple users over extended periods without requiring repeated exploitation attempts.
From an operational impact perspective, this vulnerability compromises the integrity and confidentiality of the OpenZ ERP system, potentially allowing attackers to gain unauthorized access to sensitive employee data, manipulate payroll information, or escalate privileges within the application. The session hijacking capability enables attackers to impersonate legitimate users, which could result in unauthorized financial transactions, data breaches, or system compromise. The vulnerability affects the application's availability as well, since attackers could potentially disrupt normal operations by injecting malicious code that affects application performance or functionality. The attack surface extends beyond individual user sessions to potentially impact the entire organization's data integrity and operational security posture.
Security mitigations for this vulnerability should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application's data processing pipeline. The primary remediation involves sanitizing all user-supplied input, particularly in the Employee module's name and description parameters, using proper encoding techniques such as HTML entity encoding and JavaScript escaping. Implementing Content Security Policy headers can provide additional protection against script execution, while regular security audits and input validation testing should be conducted to prevent similar vulnerabilities. Organizations should also consider implementing web application firewalls to detect and block malicious payloads, and establish proper access controls to limit the impact of successful exploitation attempts. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and maps to ATT&CK technique T1059.007 for script injection attacks, highlighting the need for robust application-level defenses against persistent script injection vulnerabilities.