### Critical Vulnerability Information #### Vulnerability Details - **Affected Product**: OpenSourcePOS v3.4.1 - **Vulnerability Type**: Stored Cross-Site Scripting (XSS), CWE-79 - **Affected Components**: Items module (Item Name field) and Sales/Receivings module (invoice view) - **Severity**: Medium - **CVSS v3.1 Score**: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L - **Patch**: [opensourcepos/opensourcepos#4363](https://github.com/opensourcepos/opensourcepos/pull/4363) #### Summary A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenSourcePOS v3.4.1. An attacker with administrative privileges can inject malicious JavaScript payloads into the Item Name field. This payload is stored in the database and executed in the browser whenever an invoice is generated that includes the compromised item. #### Impact - **Session Hijacking**: Attackers can steal session cookies of administrative users viewing invoices. - **Data Theft**: Access to sensitive financial information or customer data displayed on the invoice screen may be possible. - **Unauthorized Actions**: Since invoices are typically handled by users with elevated privileges, the script can perform unauthorized transactions or system modifications. - **Phishing**: The script can inject fake login forms or redirect users to malicious websites. #### Affected Versions - **Confirmed Affected**: OpenSourcePOS v3.4.1 - **Other Versions**: Possibly all versions prior to the latest security patch release. #### Technical Description The vulnerability arises because the application fails to properly escape input for the Item Name field during creation or update, and also fails to perform proper output encoding when rendering the invoice page. If an item name contains a `` tag, the system retrieves the item details from the database and directly inserts the name into the HTML of the invoice screen. Browsers execute these tags immediately upon page load. #### Proof of Concept - **Scenario**: An attacker exploits an account with item management privileges to target the sales department. - **Steps**: - Log in with an account having "Items: Add, Update, Delete, and Search Items" permissions. - Create or update an item, entering malicious code such as `alert('XSS_in_Invoice')` in the Item Name field. - Navigate to the Sales or Receivings menu, add the malicious item to a transaction, and generate or view the invoice. The browser will render and execute the script, displaying an alert box. #### Mitigation Measures - **Output Encoding**: Ensure all item attributes, especially item names, are HTML-encoded (e.g., using `htmlspecialchars()` in PHP) before being displayed on invoice and receipt pages. - **Content Security Policy (CSP)**: Implement a strong CSP to restrict execution of inline scripts and unauthorized external scripts. - **Input Filtering**: While output encoding is the primary defense, cleaning input by removing dangerous HTML tags provides an additional security layer. #### Timeline - **Reported to Vendor and MITRE**: 2026-01-04 - **CVE Assigned**: 2026-02-05 #### References - OpenSourcePOS Project: [https://github.com/opensourcepos/opensourcepos](https://github.com/opensourcepos/opensourcepos) - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [https://cwe.mitre.org/data/definitions/79.html](https://cwe.mitre.org/data/definitions/79.html) - Patch: [opensourcepos/opensourcepos#4363](https://github.com/opensourcepos/opensourcepos/pull/4363)