Stored Cross Site Scripting Vulnerability in UltimatePOS by UltimateFosters
CVE-2025-40980

5.1MEDIUM

Key Information:

Vendor: Ultimatefosters
Status: Ultimatepos
Vendor: CVE Published:; 31 July 2025

🔔 Create Ultimatefosters Vulnerability Alert

What is CVE-2025-40980?

A stored cross site scripting vulnerability has been identified in UltimatePOS by UltimateFosters, resulting from inadequate validation of user inputs. This issue is particularly present in the '/products/<PRODUCT_ID>/edit' functionality, where the 'name' parameter can be exploited via POST requests. Attackers can craft a malicious query targeting authenticated users, potentially leading to the theft of session cookies and unauthorized access to user accounts.

Affected Version(s)

UltimatePOS 6.4;

References

https://www.incibe.es/en/incibe-cert/notices/aviso/cross-...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 31, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Andrea Intilangelo (acme)