CVE-2021-47908
Unknown Unknown - Not Provided
Persistent XSS in Ultimate POS 4.4 Product Name Allows Session Hijack

Publication date: 2026-02-01

Last updated on: 2026-02-01

Assigner: VulnCheck

Description
Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-01
Last Modified
2026-02-01
Generated
2026-06-16
AI Q&A
2026-02-01
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47908
EUVD
EUVD-2021-34762
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ultimate_fosters ultimate_pos to 4.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47908 is a persistent cross-site scripting (XSS) vulnerability in Ultimate POS version 4.4 and earlier. It exists in the product name parameter of the product add or edit functions, where input is not properly neutralized. This allows remote attackers with vendor-level privileges to inject malicious JavaScript code that is stored persistently. When other users view the affected pages, the malicious scripts execute in their browsers, potentially hijacking user sessions or performing other malicious actions. [1, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the context of the affected Ultimate POS application. This can lead to session hijacking, persistent phishing attacks, external redirects to malicious sites, and manipulation of application modules. Since the malicious script is stored persistently, it affects all users who access the compromised product pages, potentially compromising user accounts and data integrity within the system. [1, 3]

Detection Guidance

This vulnerability can be detected by testing the product add or edit functions in Ultimate POS 4.4 for persistent cross-site scripting (XSS) in the product name parameter. Specifically, you can attempt to inject JavaScript payloads via HTTP POST requests with multipart/form-data content type to the product creation or editing endpoints and observe if the script executes persistently. Commands to test this might include using curl to send crafted POST requests with malicious scripts in the 'name' parameter, for example: curl -X POST -F "name=<script>alert(1)</script>" https://your-ultimatepos-instance/products/add Monitoring the response and subsequent product listings for script execution indicates vulnerability. Additionally, reviewing logs for suspicious POST requests to product add/edit endpoints or using web vulnerability scanners configured to detect persistent XSS in form parameters can help detect this issue. [3]

Mitigation Strategies

Immediate mitigation steps include: 1. Restrict input on the product name parameter to disallow special characters that can be used for script injection. 2. Encode and filter all input transmitted via POST requests in the 'name' parameter to prevent malicious scripts from being processed. 3. Escape and sanitize output in the backend product listing pages to prevent execution of injected scripts. Additionally, consider applying any available patches or updates from Ultimate POS, and restrict vendor-level privileges to trusted users only to reduce exploitation risk. [3]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47908. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart