CVE-2021-47908
Unknown Unknown - Not Provided

Persistent XSS in Ultimate POS 4.4 Product Name Allows Session Hijack

Vulnerability report for CVE-2021-47908, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-01

Last updated on: 2026-02-01

Assigner: VulnCheck

Description

Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-01
Last Modified
2026-02-01
Generated
2026-07-06
AI Q&A
2026-02-01
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultimate_fosters ultimate_pos to 4.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2021-47908 is a persistent cross-site scripting (XSS) vulnerability in Ultimate POS version 4.4 and earlier. It exists in the product name parameter of the product add or edit functions, where input is not properly neutralized. This allows remote attackers with vendor-level privileges to inject malicious JavaScript code that is stored persistently. When other users view the affected pages, the malicious scripts execute in their browsers, potentially hijacking user sessions or performing other malicious actions. [1, 3]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the context of the affected Ultimate POS application. This can lead to session hijacking, persistent phishing attacks, external redirects to malicious sites, and manipulation of application modules. Since the malicious script is stored persistently, it affects all users who access the compromised product pages, potentially compromising user accounts and data integrity within the system. [1, 3]

Detection Guidance

This vulnerability can be detected by testing the product add or edit functions in Ultimate POS 4.4 for persistent cross-site scripting (XSS) in the product name parameter. Specifically, you can attempt to inject JavaScript payloads via HTTP POST requests with multipart/form-data content type to the product creation or editing endpoints and observe if the script executes persistently. Commands to test this might include using curl to send crafted POST requests with malicious scripts in the 'name' parameter, for example: curl -X POST -F "name=<script>alert(1)</script>" https://your-ultimatepos-instance/products/add Monitoring the response and subsequent product listings for script execution indicates vulnerability. Additionally, reviewing logs for suspicious POST requests to product add/edit endpoints or using web vulnerability scanners configured to detect persistent XSS in form parameters can help detect this issue. [3]

Mitigation Strategies

Immediate mitigation steps include: 1. Restrict input on the product name parameter to disallow special characters that can be used for script injection. 2. Encode and filter all input transmitted via POST requests in the 'name' parameter to prevent malicious scripts from being processed. 3. Escape and sanitize output in the backend product listing pages to prevent execution of injected scripts. Additionally, consider applying any available patches or updates from Ultimate POS, and restrict vendor-level privileges to trusted users only to reduce exploitation risk. [3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47908. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart