CVE-2025-57204

Name of the Vulnerable Software and Affected Versions Stocky POS with Inventory Management & HRM (ui-lib) version 5.0

Description Stocky POS with Inventory Management & HRM (ui-lib) version 5.0 is affected by a Stored Cross-Site Scripting (XSS) issue within the Products module, accessible to authenticated users. The issue is located in the product name parameter submitted to the product-creation endpoint via a POST form. Insufficient input sanitization and output encoding allow attackers to inject HTML/JS payloads. These payloads are stored and rendered unsanitized in subsequent views, resulting in JavaScript execution in other users' browsers when they access the affected product pages. This allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially enabling session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application lacks a restrictive Content Security Policy (CSP), which increases the potential for exploitation. The vulnerable parameter is product name and the affected API endpoint is the product-creation endpoint.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all user-supplied input for the product name parameter before storing it. Implement a restrictive Content Security Policy (CSP) to mitigate the risk of XSS attacks.