Open Source Point of Sale Stored Cross-Site Scripting Vulnerability in Configuration Information Functionality

A stored cross-site scripting vulnerability has been identified in Open Source Point of Sale (OSPOS) versions 3.4.0 and 3.4.1. The issue resides within the Configuration (Information) feature, where an authenticated user with the permission to change OSPOS's configuration can inject a malicious JavaScript payload into the Company Name field. This payload is stored and executed when the user accesses the sales completion page. The vulnerability arises from inadequate input validation and output encoding, allowing the injected script to run in the user's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authenticated user with the appropriate permissions can navigate to the Configuration Information section and enter a JavaScript payload into the Company Name field. After saving the changes, the payload will be executed when the user accesses the sales completion page.

Remediation

Users can upgrade to Open Source Point of Sale version 3.4.2, where this vulnerability has been patched.