CVE-2025-68658

Name of the Vulnerable Software and Affected Versions Open Source Point of Sale versions 3.4.0 through 3.4.1

Description Open Source Point of Sale is a web-based point of sale application written in PHP using the CodeIgniter framework. A stored cross-site scripting (XSS) issue exists in the Configuration (Information) functionality. An authenticated user with the “Configuration: Change OSPOS's Configuration” permission can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The payload is stored and executed when a user accesses the /sales/complete endpoint. The issue is due to insufficient input validation and output encoding. The malicious code is triggered when selecting Sales, choosing New Item to create an item, and then clicking on Completed. The vulnerable parameter is the Company Name field.

Recommendations Update to version 3.4.2 or later.