OpenSourcePOS Cross-Site Scripting Vulnerability in Item Kits Function

A stored cross-site scripting vulnerability has been identified in OpenSourcePOS version 3.4.1, specifically within the Item Kits function. This vulnerability allows authenticated users with item management privileges to inject arbitrary web scripts or HTML into the Item Name parameter. The injected payload is executed when the crafted item is selected while creating a new Item Kit.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the victim's browser, which could lead to session hijacking, disclosure of sensitive information, and unauthorized actions performed on behalf of the victim. The severity of the impact varies depending on the privileges of the affected user.

Reproduction

To reproduce this vulnerability, an authenticated user with item management privileges should log into OpenSourcePOS v3.4.1 and navigate to the Items section. After creating a new item with a script payload in the Item Name field, this item can be selected in the Item Kits module, where the injected script will execute in the browser.

Remediation

Users are advised to apply strict output encoding, such as HTML entity encoding, before rendering item names in the Item Kits interface. Input validation should also be enforced for the Item Name field. Additionally, a review of other item-related fields and modules for similar XSS issues is recommended.