OpenZ ERP Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in OpenZ ERP version 3.6.60. This vulnerability exists within the Employee module, specifically in the name and description parameters. Attackers can exploit this issue by injecting malicious scripts through POST requests, which can lead to session hijacking and unauthorized manipulation of application modules.

Impact

Exploitation of this vulnerability allows for session hijacking, persistent phishing attacks, external redirects to malicious sources, and manipulation of affected application modules.

Reproduction

To reproduce this vulnerability, log into the OpenZ ERP application and navigate to the Employee module. Inject a script into the 'Mitarbeiter Name' or 'Beschreibung' fields while adding or editing an employee record. Once the entry is saved, the injected script will execute when the user profile is viewed, demonstrating the persistent cross-site scripting vulnerability.