CVE-2021-47908
Persistent XSS in Ultimate POS 4.4 Product Name Allows Session Hijack
Publication date: 2026-02-01
Last updated on: 2026-02-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ultimate_fosters | ultimate_pos | to 4.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47908 is a persistent cross-site scripting (XSS) vulnerability in Ultimate POS version 4.4 and earlier. It exists in the product name parameter of the product add or edit functions, where input is not properly neutralized. This allows remote attackers with vendor-level privileges to inject malicious JavaScript code that is stored persistently. When other users view the affected pages, the malicious scripts execute in their browsers, potentially hijacking user sessions or performing other malicious actions. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the context of the affected Ultimate POS application. This can lead to session hijacking, persistent phishing attacks, external redirects to malicious sites, and manipulation of application modules. Since the malicious script is stored persistently, it affects all users who access the compromised product pages, potentially compromising user accounts and data integrity within the system. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the product add or edit functions in Ultimate POS 4.4 for persistent cross-site scripting (XSS) in the product name parameter. Specifically, you can attempt to inject JavaScript payloads via HTTP POST requests with multipart/form-data content type to the product creation or editing endpoints and observe if the script executes persistently. Commands to test this might include using curl to send crafted POST requests with malicious scripts in the 'name' parameter, for example: curl -X POST -F "name=<script>alert(1)</script>" https://your-ultimatepos-instance/products/add Monitoring the response and subsequent product listings for script execution indicates vulnerability. Additionally, reviewing logs for suspicious POST requests to product add/edit endpoints or using web vulnerability scanners configured to detect persistent XSS in form parameters can help detect this issue. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Restrict input on the product name parameter to disallow special characters that can be used for script injection. 2. Encode and filter all input transmitted via POST requests in the 'name' parameter to prevent malicious scripts from being processed. 3. Escape and sanitize output in the backend product listing pages to prevent execution of injected scripts. Additionally, consider applying any available patches or updates from Ultimate POS, and restrict vendor-level privileges to trusted users only to reduce exploitation risk. [3]