Open Source Point of Sale Stored Cross-Site Scripting Vulnerability in Stock Locations Configuration

A stored cross-site scripting vulnerability has been identified in Open Source Point of Sale versions prior to 3.4.3. This issue arises in the Stock Locations configuration feature, where user input through the stock_location parameter is not properly sanitized. As a result, attackers can inject malicious JavaScript that is saved in the database and executed when the Employees interface is accessed. The vulnerability allows for the execution of arbitrary JavaScript in the context of other users' browsers, potentially leading to actions being performed on behalf of authenticated users, application interface defacement, or phishing and credential harvesting attacks.

Impact

Exploitation of this vulnerability allows injected JavaScript to execute in the browsers of users viewing the Employees interface, with the potential to perform actions on behalf of those users, deface the application interface, or conduct phishing or credential harvesting attacks.

Reproduction

To reproduce this vulnerability, log into the application with a valid account and navigate to the Stock Locations configuration under the Stock tab. Insert a JavaScript payload, such as an image tag with an error event, into the Stock Locations field and submit the form. Then, go to the Employees section and create a New Employee, where the injected payload will execute.

Remediation

Users can update to Open Source Point of Sale version 3.4.3 or later, where this vulnerability has been patched.