CVE-2025-10067
BaseFortify
Publication date: 2025-09-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| facebook-kimmymatillano | point_of_sale_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10067 is a Cross-Site Scripting (XSS) vulnerability in itsourcecode POS Point of Sale System version 1.0. It exists in the file `/inventory/main/vendors/datatables/unit_testing/templates/empty_table.php` where the 'scripts' parameter is not properly neutralized. This allows remote attackers to inject arbitrary web scripts or HTML code, which can then execute in the context of the affected web application when a user interacts with it. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to execute malicious scripts in your web application context, potentially compromising user data or session integrity. It affects data integrity and can be exploited without authentication but requires user interaction. This can lead to unauthorized actions performed on behalf of users or theft of sensitive information. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable file `/inventory/main/vendors/datatables/unit_testing/templates/empty_table.php` on your web server. Additionally, you can use Google dorking with the query `inurl:inventory/main/vendors/datatables/unit_testing/templates/empty_table.php` to identify exposed instances. To test for the vulnerability, you can attempt to inject scripts into the `scripts` parameter and observe if the input is reflected without proper neutralization, indicating a cross-site scripting flaw. For example, using curl to send a request with a script payload: `curl -G --data-urlencode "scripts=<script>alert(1)</script>" http://yourserver/inventory/main/vendors/datatables/unit_testing/templates/empty_table.php` and checking the response for the injected script. Monitoring web server logs for suspicious requests targeting the `scripts` parameter can also help detect exploitation attempts. [2, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the vulnerable file `/inventory/main/vendors/datatables/unit_testing/templates/empty_table.php` to prevent remote exploitation. Since no known countermeasures or patches are available, it is recommended to replace the affected component with an alternative product that does not contain this vulnerability. Additionally, applying web application firewall (WAF) rules to block or sanitize requests containing suspicious script injections in the `scripts` parameter can reduce risk. Educate users to avoid interacting with suspicious links that may exploit this vulnerability. [2]