CVE-2025-68147

Exploit

EPSS 0.05%
Veröffentlicht 17.12.2025 22:16:36
Zuletzt bearbeitet 18.12.2025 19:53:06
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Policy" configuration field. The application does not properly sanitize user input before saving it to the database or displaying it on receipts. An attacker with access to the "Store Configuration" (such as a rogue administrator or an account compromised via the separate CSRF vulnerability) can inject malicious JavaScript payloads into this field. These payloads are executed in the browser of any user (including other administrators and sales staff) whenever they view a receipt or complete a transaction. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim. The vulnerability has been patched in version 3.4.2 by ensuring the output is escaped using the `esc()` function in the receipt template. As a temporary mitigation, administrators should ensure the "Return Policy" field contains only plain text and strictly avoid entering any HTML tags. There is no code-based workaround other than applying the patch.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opensourcepos ≫ Open Source Point Of Sale Version >= 3.4.0 < 3.4.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.159

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	1.7	5.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
security-advisories@github.com	8.1	1.7	5.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xgr7-7pvw-fpmh

Vendor Advisory

Exploit

https://github.com/opensourcepos/opensourcepos/commit/22297a

Patch

https://github.com/Nixon-H/CVE-2025-68147-OSPOS-Stored-XSS

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-68147

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68147

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68147

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-68147