OpenSourcePOS Cross-Site Scripting Vulnerability in Item Management and Sales Invoice Function

A stored cross-site scripting vulnerability has been identified in OpenSourcePOS version 3.4.1. This issue allows authenticated attackers with item management permissions to inject malicious JavaScript into the Item Name field. The injected script is executed in the browsers of users who view invoices containing the tainted item.

Impact

Exploitation of this vulnerability allows for session hijacking of administrative users viewing the affected invoices, potential theft of sensitive financial or customer data, unauthorized actions through injected scripts, and phishing attacks by redirecting users or creating fake login forms.

Reproduction

To reproduce this vulnerability, log in to OpenSourcePOS v3.4.1 with an account that has permissions to manage items. Once logged in, navigate to the item management section and either create a new item or edit an existing one. In the Item Name field, inject a script payload, such as a JavaScript alert. After saving the item, go to the Sales or Receivings module, add the malicious item to a transaction, and complete the sale or invoice. The injected script will execute as soon as the invoice is viewed.

Remediation

Users are advised to update to OpenSourcePOS version 3.4.2 or later, where this vulnerability has been patched.