CVE-2025-10066
BaseFortify
Publication date: 2025-09-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| facebook-kimmymatillano | point_of_sale_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) flaw in itsourcecode POS Point of Sale System version 1.0, specifically in the file /inventory/main/vendors/datatables/unit_testing/templates/dymanic_table.php. It occurs because user input in the 'scripts' argument is not properly sanitized before being included in the web page output. This allows remote attackers to inject and execute arbitrary scripts in the context of the affected web application, potentially manipulating the application or stealing information. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing remote attackers to execute arbitrary scripts within the affected web application, which can lead to data integrity issues. Although it does not directly affect confidentiality or availability, the injected scripts could manipulate data or perform actions on behalf of the user. The attack requires user interaction and can be exploited without authentication, making it relatively easy to exploit remotely. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable file path `/inventory/main/vendors/datatables/unit_testing/templates/dymanic_table.php` on your web server. Additionally, you can use Google dorking with the query `inurl:inventory/main/vendors/datatables/unit_testing/templates/dymanic_table.php` to identify potentially vulnerable targets. Monitoring web server logs for suspicious requests containing the `scripts` argument with unusual or malicious input may also help detect exploitation attempts. There is a publicly available proof-of-concept exploit on GitHub that can be used for testing in a controlled environment. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected component or product with an alternative that does not contain this vulnerability, as no known mitigations or countermeasures have been published. Additionally, restricting access to the vulnerable URL path and implementing web application firewall (WAF) rules to block malicious input targeting the `scripts` argument may reduce risk. Promptly applying any patches or updates from the vendor, if available, is also recommended. [1]