Omkaryepre

**Name of the Vulnerable Software and Affected Versions** Open Source Point of Sale version 3.4.1 **Description** A Cross-site scripting (XSS) issue exists in the Create/Update Item(s) Module. This allows remote attackers to inject arbitrary web script or HTML via the `name` parameter. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the `name` parameter to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** Open Source Point of Sale version 3.4.1 **Description** A Cross-site scripting (XSS) issue exists in the Create/Update Customer(s) functionality. This allows remote attackers to inject arbitrary web script or HTML through the `phone number` parameter. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the `phone number` parameter before processing it.

**Name of the Vulnerable Software and Affected Versions** Open Source Point of Sale version 3.4.1 **Description** A Cross-site scripting (XSS) issue exists in the Create/Update Item Kit(s) functionality. This allows remote attackers to inject arbitrary web script or HTML through the `name` parameter. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the `name` parameter to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** edoc-doctor-appointment-system version 1.0.1 **Description** The edoc-doctor-appointment-system software is affected by a Cross Site Scripting (XSS) issue. This issue occurs in the 'admin/add-session.php' component through the `title` parameter. Successful exploitation could allow an attacker to inject malicious scripts into the web page. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the `title` parameter in the 'admin/add-session.php' component to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** Open Source Point of Sale version 3.4.1 **Description** The password change functionality has a flaw where a user can set an empty password due to a lack of server-side validation. Omitting or providing empty values for the `password` and `repeat password` parameters in a password change request results in a successful response and an empty password being set. This bypasses authentication and potentially allows unauthorized access to user or administrative accounts. The vulnerable API endpoint is the password change endpoint. **Recommendations** Apply a fix that enforces server-side validation to prevent setting an empty password.