From the webpage screenshot, the following key vulnerability information can be extracted: - **Affected Product**: OpenSourcePOS v3.4.1 - **Vulnerability Type**: Stored Cross-Site Scripting (XSS), CWE-79 - **Affected Component**: Customer Module – Phone Number Field - **Severity**: Medium - **CVSS 3.1**: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L - **Patch**: [opensourcepos/opensourcepos#4356](https://github.com/opensourcepos/opensourcepos/pull/4356) --- **Summary**: A stored cross-site scripting (XSS) vulnerability exists in the Customer module of OpenSourcePOS v3.4.1. An authenticated user with permissions to add or update customers can inject arbitrary JavaScript code into the phone number field. The malicious payload is stored and executed when the customer record is rendered in the web interface. --- **Impact**: - Execution of arbitrary JavaScript in the context of other users’ browsers - Potential session hijacking - Exposure of sensitive information - Unauthorized actions performed on behalf of the victim - Impact depends on the permissions of users who view the malicious record --- **Affected Versions**: - Confirmed affected: OpenSourcePOS v3.4.1 - Other versions: Not tested; impact on other versions has not been independently verified. --- **Technical Description**: The phone number field in the Customer module does not properly validate or sanitize user-supplied input. Additionally, stored values are not appropriately output-encoded when rendered in the application’s web interface. An authenticated attacker with “Customer: Add, Update, Delete, and Search Customers” permissions can inject a JavaScript payload into the phone number field. When the customer data is later displayed, the payload executes, triggering the stored XSS condition. --- **Proof of Concept**: **Scenario**: Attacker has an authenticated account with customer management privileges. **Step 1**: Log in with an account that has the required customer management permissions. **Step 2**: Navigate to the Customers section and create or update a customer, using the following value for the Phone Number field: `alert(1)` **Step 3**: Submit the form. When the customer record is viewed, the JavaScript payload executes, confirming successful exploitation. --- **Remediation**: - Apply strict output encoding (e.g., HTML entity encoding) to all user-supplied data before rendering in the browser - Implement input validation for the phone number field using a whitelist approach to ensure only valid number formats are accepted - Review other input fields in the Customer module for similar issues to prevent additional XSS vulnerabilities --- **Timeline**: - Reported to vendor and MITRE: December 19, 2025 - CVE assigned: February 5, 2026 --- **References**: - OpenSourcePOS Project: [https://github.com/opensourcepos/opensourcepos](https://github.com/opensourcepos/opensourcepos) - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - Patch: [opensourcepos/opensourcepos#4356](https://github.com/opensourcepos/opensourcepos/pull/4356)