CVE-2025-70091
Cross-Site Scripting in OpenSourcePOS Customers Phone Parameter
Publication date: 2026-02-13
Last updated on: 2026-02-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensourcepos | open_source_point_of_sale | 3.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue found in the Customers function of OpenSourcePOS version 3.4.1.
It allows attackers to execute arbitrary web scripts or HTML by injecting a specially crafted payload into the Phone Number parameter.
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow attackers to run malicious scripts in the context of the affected web application.
This can lead to unauthorized actions such as stealing user session data, defacing the website, or redirecting users to malicious sites.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves cross-site scripting (XSS) via the Phone Number parameter in the Customers function of OpenSourcePOS v3.4.1. Detection typically involves testing the input fields for script injection.
You can detect this vulnerability by attempting to inject a crafted payload into the Phone Number field and observing if the input is executed as a script.
- Use a web proxy tool like Burp Suite or OWASP ZAP to intercept and modify requests to the Customers function, injecting typical XSS payloads such as <script>alert(1)</script> into the Phone Number parameter.
- Run automated scanners that test for XSS vulnerabilities on the OpenSourcePOS application, focusing on the Customers module.
- Manually test by entering script tags or JavaScript event handlers into the Phone Number input field and checking if the script executes in the browser.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this XSS vulnerability, immediate steps include sanitizing and validating all user inputs, especially the Phone Number parameter in the Customers function.
Implement input validation to reject or properly encode any HTML or script tags before processing or storing the input.
- Apply output encoding on all data rendered in the web interface to prevent execution of injected scripts.
- Update OpenSourcePOS to a version where this vulnerability is fixed, if available.
- Use web application firewalls (WAF) to detect and block malicious payloads targeting this vulnerability.