CVE-2025-66420 is an XSS vulnerability classified under CWE-79 affecting Tryton sao, an open-source client interface for the Tryton ERP system. The flaw exists in versions prior to 7.6.9 and allows improper neutralization of input during web page generation, specifically via HTML attachments. This enables an attacker with limited privileges to craft malicious HTML content that, when rendered by another user, executes arbitrary JavaScript in the victim's browser context. The vulnerability requires the attacker to have some level of access to upload or attach HTML content and relies on user interaction to trigger the payload. The CVSS 3.1 base score of 5.4 reflects a medium severity, considering the network attack vector, low complexity, requirement for privileges and user interaction, and the potential for partial confidentiality and integrity impact without affecting availability. The vulnerability has been addressed in Tryton sao versions 7.6.9, 7.4.19, 7.0.38, and 6.0.67 by implementing proper input sanitization and output encoding to prevent script injection. No public exploits are currently known, but the presence of this vulnerability in widely used ERP client software poses a risk for targeted attacks, especially in environments where users handle sensitive business data.

For European organizations, the impact of CVE-2025-66420 can be significant in sectors relying on Tryton ERP systems for business operations, including finance, manufacturing, and services. Successful exploitation could lead to unauthorized disclosure of sensitive information (confidentiality impact) and manipulation of data displayed to users (integrity impact), potentially facilitating further attacks such as session hijacking or phishing. Although availability is not directly affected, the breach of trust and data integrity can disrupt business processes and compliance with data protection regulations like GDPR. Organizations with multi-user environments where HTML attachments are shared are particularly vulnerable. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in phishing or social engineering scenarios. The lack of known exploits suggests a window of opportunity for defenders to patch and harden systems before active attacks emerge.

European organizations should immediately upgrade Tryton sao to one of the fixed versions: 7.6.9, 7.4.19, 7.0.38, or 6.0.67. In addition to patching, implement strict input validation and output encoding on all user-supplied content, especially HTML attachments, to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Educate users about the risks of interacting with untrusted attachments and implement email and file scanning solutions to detect malicious content. Limit privileges for users who can upload or share HTML content to reduce the attack surface. Monitor logs for unusual activity related to attachment uploads and user interactions. Consider isolating Tryton sao access within secure network segments and using web application firewalls (WAFs) with rules targeting XSS payloads. Regularly review and update security policies and incident response plans to address potential exploitation scenarios.