CVE-2025-68658
Unknown Unknown - Not Provided
Stored XSS in OpenSourcePOS Configuration Allows Persistent Script Injection

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission “Configuration: Change OSPOS's Configuration” can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The malicious payload is stored and later triggered when a user accesses /sales/complete. First select Sales, and choose New Item to create an item, then click on Completed . Due to insufficient input validation and output encoding, the payload is rendered and executed in the user’s browser, resulting in a stored XSS vulnerability. This vulnerability is fixed in 3.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68658
EUVD
EUVD-2025-206285
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
opensourcepos opensourcepos 3.4.0
opensourcepos opensourcepos 3.4.1
opensourcepos opensourcepos 3.4.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68658 is a stored Cross-Site Scripting (XSS) vulnerability in the Open Source Point of Sale (opensourcepos) software versions 3.4.0 and 3.4.1. It occurs in the Configuration (Information) feature, specifically in the Company Name field. An authenticated user with permission to change the configuration can inject malicious JavaScript code into this field. This malicious code is stored and later executed in the browser of any user who accesses the /sales/complete page after creating a new sales item and clicking Completed. The vulnerability is caused by insufficient input validation and lack of output encoding, allowing the script to run in users' browsers. [1]

Impact Analysis

This vulnerability can allow an authenticated user with configuration permissions to inject malicious JavaScript that executes in other users' browsers when they access certain pages. This can lead to unauthorized actions performed on behalf of users, theft of session cookies or credentials, and potentially compromise user accounts or data. Although the impact on confidentiality, integrity, and availability is rated low, the stored XSS can be used to perform attacks such as session hijacking or defacement within the application. [1]

Detection Guidance

This vulnerability can be detected by verifying if the OpenSourcePOS application version is 3.4.0 or 3.4.1 and checking if the 'Company Name' field in the Configuration (Information) section allows injection of JavaScript code. Since it is a stored XSS triggered when accessing /sales/complete after creating a new item and clicking Completed, you can test by injecting a benign script payload into the Company Name field and then navigating to /sales/complete to see if the script executes. There are no specific network commands provided to detect this vulnerability automatically. [1]

Mitigation Strategies

The immediate mitigation is to upgrade OpenSourcePOS to version 3.4.2 or later, where the vulnerability is fixed by implementing proper input validation and output encoding. There is no effective workaround due to the absence of input escaping in affected versions. Applying the patch that includes backend escaping, frontend sanitization using DOMPurify, and stricter output encoding will mitigate the risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68658. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart