Open Source Point of Sale Cross-Site Scripting Vulnerability in Item Kit Management

A cross-site scripting (XSS) vulnerability has been identified in the Open Source Point of Sale (OSPOS) application, specifically in version 3.4.1. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML into the application. The issue arises in the Create/Update Item Kit(s) module, where user input in the 'name' parameter is not properly sanitized before being stored and displayed. As a result, injected scripts can be executed in the context of the user's browser when they view the affected item kit.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the item kit.

Reproduction

To reproduce this vulnerability, log into the OSPOS application with an admin account. Navigate to the 'Item Kits' section and create a new item kit. Insert a payload, such as an image tag with an error event, into the 'name' parameter. Once the item kit is saved, the injected script will execute when the item kit is viewed.

Remediation

Users are advised to update to Open Source Point of Sale version 3.4.2, where this vulnerability has been fixed.