CVE-2025-70091

Name of the Vulnerable Software and Affected Versions OpenSourcePOS version 3.4.1

Description An issue exists in OpenSourcePOS that allows for the execution of arbitrary web scripts or HTML. This occurs through a cross-site scripting (XSS) flaw within the Customers function. Specifically, the vulnerability is triggered by injecting a crafted payload into the Phone Number parameter.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider sanitizing the Phone Number parameter input to prevent the injection of malicious scripts.