OpenSourcePOS Stored Cross-Site Scripting Vulnerability in Customers Module

A stored cross-site scripting vulnerability has been identified in OpenSourcePOS version 3.4.1, specifically within the Customers module. This issue allows authenticated users with permission to manage customers to inject arbitrary JavaScript into the Phone Number field. The injected script is executed when the customer record is viewed, potentially leading to session hijacking, exposure of sensitive information, and unauthorized actions performed on behalf of the victim.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, which could be used to hijack sessions, steal sensitive information, or perform actions on behalf of the user, depending on their privileges.

Reproduction

To reproduce this vulnerability, log into OpenSourcePOS v3.4.1 with an account that has permission to manage customers. Navigate to the Customers section and either create a new customer or update an existing one. In the Phone Number field, enter a script tag containing JavaScript code, such as an alert command. After submitting the form, the injected script will execute when the customer record is viewed, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to apply strict output encoding to all user-supplied data before rendering it in the browser. Input validation should be enforced for the Phone Number field to accept only valid formats. Additionally, other input fields in the Customers module should be reviewed for similar vulnerabilities.