### Vulnerability Overview - **Affected Product**: OpenSourcePOS v3.4.1 - **Vulnerability Type**: Improper `Content-Type` handling leading to Stored Cross-Site Scripting (XSS) (CWE-79, CWE-116) - **Affected Component**: Ajax endpoints returning JSON responses - **Severity**: Medium - **CVSS v3.1 Score**: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L - **Fix Patch**: [opensourcepos/opensourcepos#4357](https://github.com/opensourcepos/opensourcepos/pull/4357) ### Impact - Execution of arbitrary JavaScript in the victim’s browser context - Potential session hijacking - Exposure of sensitive information - Unauthorized actions performed on behalf of the victim - Impact depends on the permissions of the affected user ### Affected Versions - Confirmed affected: OpenSourcePOS v3.4.1 - Other versions: Not tested; impact not independently verified ### Technical Description Multiple Ajax endpoints in OpenSourcePOS return data in JSON format but do not correctly set the `Content-Type` header to `application/json`, instead returning `text/html`. When user-supplied data is stored and returned in Ajax responses, the browser interprets the response as HTML rather than JSON, bypassing standard JSON parsing rules. This allows HTML or JavaScript code to be executed. ### Proof of Concept (PoC) - **Scenario**: Attacker has an authenticated account with attribute creation permissions. - **Steps**: Create an attribute with a specific value, trigger an Ajax request, and execute the stored script. - **Result**: Successful exploitation. ### Mitigation - Explicitly set `Content-Type` to `application/json` - Ensure all user-supplied data in Ajax responses is properly encoded and sanitized - Review all Ajax handlers to confirm consistent response headers and security practices - Implement additional security defenses as needed, such as Content Security Policy (CSP) ### Timeline - Reported to vendor and MITRE: 2022-12-28 - CVE assigned: 2026-02-05 ### References - OpenSourcePOS project: [GitHub Link](https://github.com/opensourcepos/opensourcepos) - Fix patch/Pull Request: [Pull Request Link](https://github.com/opensourcepos/opensourcepos/pull/4357)