Open Source Point of Sale Stored Cross-Site Scripting Vulnerability in Daily Sales Management

A stored cross-site scripting vulnerability has been identified in Open Source Point of Sale versions prior to 3.4.3. The issue arises in the Daily Sales management table, where the customer_name column is set to escape: false. This configuration allows customer names to be displayed as raw HTML. An attacker with customer management permissions could inject arbitrary JavaScript into a customer's first or last name, which would then execute in the browser of any user viewing the Daily Sales page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript executes in the context of the user viewing the Daily Sales page. This could enable an attacker to perform actions on behalf of the victim, such as reading the CSRF token and making AJAX requests. Low-privilege employees could potentially target admin users, gaining full control of the application.

Reproduction

To reproduce this vulnerability, create a customer with an XSS payload in the first name field, such as an image tag with an error event. After saving the customer, create a sale associated with this customer. Finally, navigate to the Daily Sales management page, where the injected script will execute when the customer name is rendered.

Remediation

Users can update to Open Source Point of Sale version 3.4.3 or later, where this vulnerability has been fixed.