Stocky POS Stored Cross-Site Scripting Vulnerability in Products Module

A stored cross-site scripting vulnerability has been identified in Stocky POS with Inventory Management & HRM (ui-lib) version 5.0. This vulnerability exists within the Products module, specifically in the product name parameter submitted through the product creation endpoint via a standard POST form. The issue arises from inadequate input sanitization and output encoding, allowing authenticated users to inject HTML or JavaScript payloads. Once injected, these payloads are stored and later executed unsanitized in various product views, including the product listing and detail pages. This vulnerability enables authenticated attackers to execute arbitrary JavaScript in the context of other users, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the browsers of users viewing the affected product, including administrators. This could result in session theft, unauthorized access to high-privilege accounts, and exfiltration of sensitive business data.

Reproduction

To reproduce this vulnerability, log into Stocky POS version 5.0 with valid credentials. Navigate to the Products module and open the 'Create Product' form. In the 'Name' field, enter a JavaScript payload, such as one that triggers an alert. Once the product is saved, the injected script will execute when the product list or detail page is accessed, demonstrating the stored XSS vulnerability.

Remediation

Developers are advised to sanitize input by removing or neutralizing HTML and JavaScript in text fields, implement contextual output encoding before rendering dynamic content, and reject dangerous tags such as scripts and event-driven HTML elements. Additionally, a restrictive Content Security Policy should be enforced to disable inline JavaScript execution.