CVE-2025-70095
Cross-Site Scripting in OpenSourcePOS Item Management and Sales
Publication date: 2026-02-13
Last updated on: 2026-02-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensourcepos | open_source_point_of_sale | 3.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue found in the item management and sales invoice function of OpenSourcePOS version 3.4.1.
It allows attackers to inject crafted malicious web scripts or HTML code, which can then be executed by users interacting with the affected functions.
How can this vulnerability impact me? :
The impact of this vulnerability is that attackers can execute arbitrary scripts in the context of the affected web application.
This can lead to unauthorized actions such as stealing user session data, defacing the website, redirecting users to malicious sites, or performing other malicious activities on behalf of the user.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a cross-site scripting (XSS) issue in the item management and sales invoice functions of OpenSourcePOS v3.4.1. Detection typically involves testing these specific web application areas for injection of crafted payloads that execute arbitrary scripts.
You can manually test by injecting common XSS payloads into input fields related to item management and sales invoices and observing if the payload executes in the browser.
Automated scanning tools like OWASP ZAP or Burp Suite can be used to scan the web application for XSS vulnerabilities.
No specific commands or scripts are provided in the available resources for direct detection on the network or system.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this XSS vulnerability include sanitizing and validating all user inputs in the item management and sales invoice functions to prevent injection of malicious scripts.
Apply proper output encoding on all data rendered in the web interface to neutralize any injected scripts.
If available, update OpenSourcePOS to a version where this vulnerability is fixed.
In the absence of an official patch, consider implementing web application firewall (WAF) rules to block common XSS attack patterns targeting these functions.