Open Source Point of Sale Cross-Site Scripting Vulnerability in Customer Phone Number Field

A stored cross-site scripting vulnerability has been identified in Open Source Point of Sale (OSPOS) version 3.4.1. The issue arises in the Create/Update Customer module, where user input in the phone_number parameter is not properly sanitized before being saved and displayed. This flaw allows remote attackers to inject arbitrary HTML or JavaScript, which is executed in the context of other users' browsers when the affected customer record is accessed. This could lead to session hijacking or unauthorized actions.

Impact

Exploitation of this vulnerability allows for injected scripts to be executed in the context of the user viewing the customer record, potentially leading to session hijacking and unauthorized actions within the application.

Reproduction

To reproduce this vulnerability, log into the application with an admin account and navigate to the Customers tab. Create a new customer and insert a malicious payload, such as an image tag with an error event, into the phone_number parameter. Once the customer is saved, the injected script will execute when the customer record is viewed.

Remediation

Users are advised to update to Open Source Point of Sale version 3.4.2, where this vulnerability has been fixed.