OpenSourcePOS Stored Cross-Site Scripting Vulnerability in Return Policy Configuration

A stored cross-site scripting vulnerability has been identified in OpenSourcePOS versions 3.4.0 and 3.4.1, within the 'Return Policy' configuration field. The issue arises because the application fails to properly sanitize user input before saving it to the database or displaying it on receipts. This vulnerability allows an authenticated attacker with access to the 'Store Configuration' to inject malicious JavaScript payloads, which are executed in the browser of any user who views a receipt or completes a transaction. The vulnerability has been patched in version 3.4.2.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the receipt. This could lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the 'Store Configuration' panel. In the 'Return Policy' text area, inject a script payload, such as a JavaScript alert, and submit the form. The injected script will be executed when the receipt is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to OpenSourcePOS version 3.4.2, where this vulnerability has been fixed. The patch ensures that the 'Return Policy' field is properly sanitized before being displayed on receipts.