PT-2026-31017 · Unknown · Open Source Point Of Sale
Ormzro
·
Published
2026-04-07
·
Updated
2026-04-08
·
CVE-2026-32712
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Open Source Point of Sale versions prior to 3.4.3
Description
Open Source Point of Sale, a web-based point-of-sale application written in PHP using the CodeIgniter framework, contains a Stored Cross-Site Scripting (XSS) issue in the Daily Sales management table. The
customer name column is configured with escape: false in the bootstrap-table column configuration, which renders customer names as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first name or last name field. This injected code executes in the browser of any user viewing the Daily Sales page.Recommendations
Update to version 3.4.3 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open Source Point Of Sale