Open Source Point of Sale Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Create/Update Item(s) module of Open Source Point of Sale (OSPOS) version 3.4.1. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML into the application via the 'name' parameter. The injected content is not properly sanitized before being stored and later displayed to users, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of users.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user viewing the affected item, which can lead to session hijacking and unauthorized actions within the application.

Reproduction

To reproduce this vulnerability, log into OSPOS v3.4.1 with an admin account and navigate to the Items tab. Create a new item and inject a script payload, such as an image tag with an 'onerror' event, into the 'name' parameter. Once the item is saved, the injected script will execute when the item is viewed.

Remediation

Users are advised to update to Open Source Point of Sale version 3.4.2, where this vulnerability has been fixed.