CVE-2025-66421 is a Cross-site Scripting (XSS) vulnerability classified under CWE-79 affecting the Tryton sao web client prior to version 7.6.11. The vulnerability stems from improper neutralization of input during web page generation, specifically the failure to escape completion values that are rendered in the user interface. This allows an attacker with at least limited privileges (PR:L) to inject malicious scripts that execute in the context of other users' browsers when they interact with the affected interface. The CVSS v3.1 base score is 5.4 (medium), reflecting network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R), with a scope change (S:C) and limited confidentiality and integrity impacts (C:L/I:L), but no impact on availability (A:N). The vulnerability affects multiple versions of Tryton sao, including 7.0.0, 7.1.0, and 7.5.0, and has been addressed in subsequent patch releases 7.6.11, 7.4.21, 7.0.40, and 6.0.69. No known exploits are currently reported in the wild. The flaw could be exploited in environments where users have access to the Tryton sao client and can be tricked into interacting with maliciously crafted completion values, potentially leading to session hijacking, data theft, or unauthorized actions within the application. This vulnerability highlights the importance of proper input sanitization and output encoding in web applications, especially those handling business-critical data like Tryton.

For European organizations using Tryton sao, this vulnerability poses a moderate risk primarily to confidentiality and integrity of data. Successful exploitation could allow attackers to execute scripts in the context of legitimate users, potentially leading to theft of session tokens, unauthorized data access, or manipulation of application data. While availability is not impacted, the breach of confidentiality or integrity could disrupt business operations, damage reputation, and lead to regulatory compliance issues under GDPR if personal data is exposed. Organizations in sectors such as finance, manufacturing, and public administration that rely on Tryton for enterprise resource planning (ERP) functions are particularly at risk. The requirement for user interaction and privileges limits the attack scope but does not eliminate risk, especially in environments with many users or where phishing/social engineering could be used to trigger the vulnerability. The lack of known exploits in the wild suggests a window of opportunity for proactive defense before active exploitation emerges.

1. Immediately upgrade Tryton sao to the fixed versions: 7.6.11, 7.4.21, 7.0.40, or 6.0.69 depending on your deployment version. 2. Implement strict input validation and output encoding on all user-supplied data, especially completion values rendered in the UI. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Educate users about phishing and social engineering risks to reduce the chance of malicious interaction triggering the vulnerability. 5. Monitor application logs and user activity for unusual patterns that could indicate exploitation attempts. 6. Conduct regular security assessments and penetration testing focused on web application vulnerabilities. 7. If immediate patching is not feasible, consider temporary mitigations such as disabling or restricting features that use completion values or filtering inputs at the web server or proxy level.