关键漏洞信息 CVE ID: CVE-2025-60503 (RESERVED) Vulnerability Type: Stored Cross-Site Scripting (XSS) Severity: High Affected Product: UltimatePOS by UltimateFosters Affected Version: v4.8 Overview Summary: A Stored XSS vulnerability exists in the UltimatePOS admin panel (v4.8) where unsanitized user input in the field of the Purchases module is rendered without proper escaping in the Reports → Activity Log page. Impact: Allows an attacker with admin access to execute arbitrary JavaScript in the context of another administrator's browser session. Technical Details Input Point: When adding a new purchase, the field value is stored directly and then reflected in the activity log view. Vulnerability: The lack of proper escaping allows any embedded HTML/JavaScript to execute when the log is viewed. Proof of Concept (PoC) Steps: 1. Log in as an administrator. 2. Navigate to Purchases → List Purchases → + Add. 3. Insert in the field. 4. Save and navigate to Reports → Activity Log. The alert box confirms the successful execution of stored XSS. Mitigation & Recommendations For Vendor: - Sanitize and validate all user input, especially in the field. - Encode output before rendering dynamic values in HTML. - Enforce Content Security Policy (CSP) headers. - Secure cookies (HttpOnly, SameSite=strict). For Users: - Restrict admin access to trusted users. - Avoid shared admin accounts. - Monitor activity logs for suspicious payloads. - Apply patches immediately once available.