CVE-2025-68147
Published: 17 December 2025
Summary
CVE-2025-68147 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Opensourcepos Open Source Point Of Sale. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-204017
Vulnerability details
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Policy"…
more
configuration field. The application does not properly sanitize user input before saving it to the database or displaying it on receipts. An attacker with access to the "Store Configuration" (such as a rogue administrator or an account compromised via the separate CSRF vulnerability) can inject malicious JavaScript payloads into this field. These payloads are executed in the browser of any user (including other administrators and sales staff) whenever they view a receipt or complete a transaction. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim. The vulnerability has been patched in version 3.4.2 by ensuring the output is escaped using the `esc()` function in the receipt template. As a temporary mitigation, administrators should ensure the "Return Policy" field contains only plain text and strictly avoid entering any HTML tags. There is no code-based workaround other than applying the patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables arbitrary JavaScript execution (T1059.007) in victims' browsers when viewing receipts, facilitating browser session hijacking (T1185) and web session cookie theft (T1539) for session hijacking, data theft, and privilege escalation.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.