CVE-2025-68147

HIGH EPSS 22.5%
Published Dec 17, 20256mo ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
High
Find Similar
Published Dec 17, 2025 6mo ago
Last Modified Jun 17, 2026 2w ago

Description

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Policy" configuration field. The application does not properly sanitize user input before saving it to the database or displaying it on receipts. An attacker with access to the "Store Configuration" (such as a rogue administrator or an account compromised via the separate CSRF vulnerability) can inject malicious JavaScript payloads into this field. These payloads are executed in the browser of any user (including other administrators and sales staff) whenever they view a receipt or complete a transaction. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim. The vulnerability has been patched in version 3.4.2 by ensuring the output is escaped using the `esc()` function in the receipt template. As a temporary mitigation, administrators should ensure the "Return Policy" field contains only plain text and strictly avoid entering any HTML tags. There is no code-based workaround other than applying the patch.

CVSS Details

Base Score
8.1
Exploitability
1.7
Impact
5.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
22.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
opensourceposopen_source_point_of_sale*≥3.4.0  –  <3.4.2

References 3

  • github.com https://github.com/Nixon-H/CVE-2025-68147-OSPOS-Stored-XSS
    ExploitThird Party Advisory
  • github.com https://github.com/opensourcepos/opensourcepos/commit/22297a
    Patch
  • github.com https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xgr7-7pvw-fpmh
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/opensourcepos/opensourcepos/commit/22297a
    Patch