LionCoders SalePro POS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Customer Management Module of LionCoders SalePro POS version 5.4.8. This vulnerability allows authenticated attackers to inject arbitrary web scripts or HTML into the 'Customer Name' parameter while creating or editing customer profiles. The injected malicious content is not properly sanitized before being stored and later displayed, which can result in the execution of scripts in the browsers of users who view the affected customer details.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the customer details.

Reproduction

To reproduce this vulnerability, an authenticated user can create or edit a customer profile in LionCoders SalePro POS 5.4.8. During this process, the user can inject a script or HTML payload into the 'Customer Name' parameter. Once the profile is saved, the injected content will be executed in the browser when the customer details are viewed.