CVE-2025-68147

Name of the Vulnerable Software and Affected Versions Open Source Point of Sale versions 3.4.0 through 3.4.1

Description Open Source Point of Sale is a web-based point of sale application written in PHP using the CodeIgniter framework. A Stored Cross-Site Scripting (XSS) issue exists in the "Return Policy" configuration field in versions 3.4.0 through 3.4.1. The application does not properly sanitize user input before saving it to the database or displaying it on receipts. An attacker with access to the "Store Configuration" can inject malicious JavaScript payloads into this field. These payloads are executed in the browser of any user when they view a receipt or complete a transaction, potentially leading to session hijacking or theft of sensitive data. The vulnerability is due to a lack of proper output escaping when displaying the "Return Policy" field on receipts.

Recommendations Update to version 3.4.2, which includes a fix that escapes the output using the esc() function in the receipt template. As a temporary mitigation, ensure the "Return Policy" field contains only plain text and avoid entering any HTML tags.