Tryton sao Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting (XSS) vulnerability has been identified in Tryton sao versions prior to 7.6.11. This issue arises because the application does not properly escape completion values, allowing malicious JavaScript to be injected and executed in the context of users interacting with affected Party entries. The vulnerability is present in the Party field across various modules, such as Company and Employee.

Impact

Exploitation of this vulnerability allows for remote execution of arbitrary JavaScript in the context of the web application, affecting any user who interacts with the compromised Party entry. This could lead to session or cookie theft, unauthorized actions, or disclosure of sensitive information. The XSS payload persists in the database and remains active until the affected Party entry is deleted or the vulnerability is patched.

Reproduction

To reproduce this vulnerability, create a new Party entry and insert a crafted payload, such as an image tag with an 'onerror' event, into the 'Name' field. Once saved, this payload executes when the Party is selected in other forms, such as creating a new Company or Employee, triggering the JavaScript in the user's browser.

Remediation

Users are advised to upgrade to Tryton sao versions 7.6.11, 7.4.21, 7.0.40, or 6.0.69.