Can you explain this vulnerability to me?

This vulnerability is a stored cross-site scripting (XSS) issue in ERPNext version 16.16.0, specifically in the Point of Sale (POS) customer section.

An authenticated user can inject arbitrary HTML or JavaScript code into the email_id or mobile_no fields of a Customer record by exploiting a whitelisted API endpoint or by directly editing customer details.

The injected malicious code is stored in the database without proper sanitization and is later rendered unescaped in the POS interface when a POS operator selects the affected customer.

This happens because the update_customer_section function in pos_item_cart.js improperly handles user-controlled data, failing to escape HTML special characters and misusing the deprecated window.escape() function for URI encoding instead of HTML escaping.

Additionally, a malformed HTML attribute in the get_customer_image() function allows attribute injection, further contributing to the vulnerability.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow an authenticated user to execute arbitrary HTML or JavaScript code in the browsers of POS operators.

Such code execution can lead to unauthorized actions being performed in the POS interface, potentially compromising the integrity and security of the POS system.

Because the malicious code executes in the context of the POS operator's browser, it could be used to steal session tokens, manipulate the interface, or perform other malicious activities.

The vulnerability has a medium severity with a CVSS v4.0 base score of 5.1 and can be exploited remotely by any authenticated user regardless of their role.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves stored cross-site scripting (XSS) in the email_id or mobile_no fields of Customer records in ERPNext version 16.16.0. Detection involves identifying if these fields contain arbitrary HTML or JavaScript code that could be executed in the Point of Sale (POS) interface.

Since the malicious payload is stored in the database, you can query the Customer records to look for suspicious HTML or JavaScript code in the email_id or mobile_no fields.

• Use database queries to search for common XSS payload patterns in the email_id or mobile_no fields, for example, searching for <script> tags or event handlers.
• Example SQL command (adjust according to your database): SELECT name, email_id, mobile_no FROM tabCustomer WHERE email_id LIKE '%<script>%' OR mobile_no LIKE '%<script>%';
• Alternatively, search for other suspicious HTML tags or attributes that could be used for XSS.

Network detection is limited since the vulnerability is stored and triggered in the POS interface when selecting a customer, so monitoring for unusual or unexpected HTML/JavaScript in these fields is key.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include preventing the injection and execution of arbitrary HTML/JavaScript in the email_id and mobile_no fields of Customer records.

• Restrict or disable editing of the email_id and mobile_no fields by untrusted or low-privileged authenticated users to prevent injection.
• Manually review and sanitize existing Customer records to remove any malicious HTML or JavaScript code from these fields.
• Educate POS operators to be cautious when selecting customers and monitor for unusual behavior in the POS interface.
• Apply strict input validation and sanitization on these fields if possible, or temporarily disable the vulnerable POS functionality until a patch is released.

Since no patch is available as of the disclosure date, these steps help reduce the risk until an official fix is provided.

Useful 0 Not Useful 0