CVE-2025-68658
Stored XSS in OpenSourcePOS Configuration Allows Persistent Script Injection
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensourcepos | opensourcepos | 3.4.0 |
| opensourcepos | opensourcepos | 3.4.1 |
| opensourcepos | opensourcepos | 3.4.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68658 is a stored Cross-Site Scripting (XSS) vulnerability in the Open Source Point of Sale (opensourcepos) software versions 3.4.0 and 3.4.1. It occurs in the Configuration (Information) feature, specifically in the Company Name field. An authenticated user with permission to change the configuration can inject malicious JavaScript code into this field. This malicious code is stored and later executed in the browser of any user who accesses the /sales/complete page after creating a new sales item and clicking Completed. The vulnerability is caused by insufficient input validation and lack of output encoding, allowing the script to run in users' browsers. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user with configuration permissions to inject malicious JavaScript that executes in other users' browsers when they access certain pages. This can lead to unauthorized actions performed on behalf of users, theft of session cookies or credentials, and potentially compromise user accounts or data. Although the impact on confidentiality, integrity, and availability is rated low, the stored XSS can be used to perform attacks such as session hijacking or defacement within the application. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if the OpenSourcePOS application version is 3.4.0 or 3.4.1 and checking if the 'Company Name' field in the Configuration (Information) section allows injection of JavaScript code. Since it is a stored XSS triggered when accessing /sales/complete after creating a new item and clicking Completed, you can test by injecting a benign script payload into the Company Name field and then navigating to /sales/complete to see if the script executes. There are no specific network commands provided to detect this vulnerability automatically. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade OpenSourcePOS to version 3.4.2 or later, where the vulnerability is fixed by implementing proper input validation and output encoding. There is no effective workaround due to the absence of input escaping in affected versions. Applying the patch that includes backend escaping, frontend sanitization using DOMPurify, and stricter output encoding will mitigate the risk. [1, 2]