OpenSourcePOS Cross-Site Scripting Vulnerability in Item Barcode Generation

A stored cross-site scripting vulnerability has been identified in OpenSourcePOS version 3.4.1, specifically within the Items module's Generate Item Barcode function. This vulnerability allows authenticated users with permission to manage items to inject arbitrary JavaScript into the Item Category field. The injected script is executed when the barcode generation feature is used for that item.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user viewing the generated barcode labels. This could lead to session hijacking, exposure of sensitive data, and unauthorized actions performed on behalf of the victim.

Reproduction

To reproduce this vulnerability, log into OpenSourcePOS v3.4.1 with an account that has permission to manage items. Navigate to the Items section and either create a new item or edit an existing one. In the Category field, inject a script payload, such as a JavaScript alert tag. Once the item is saved, go to the item list, select the modified item, and click on the Generate Barcodes button. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to the patched version available in OpenSourcePOS Pull Request #4357.