CVE-2025-10064 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2025-10064?

CVE-2025-10064 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to execute arbitrary JavaScript code in the context of a user's browser session by exploiting a cross-site scripting (XSS) flaw in the itsourcecode POS Point of Sale System. The vulnerability affects users who access the vulnerable /inventory/main/vendors/datatables/unit_testing/templates/dom_data_two_headers.php page. Attackers can steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary JavaScript code in the context of a user's browser session by exploiting a cross-site scripting (XSS) flaw in the itsourcecode POS Point of Sale System. The vulnerability affects users who access the vulnerable /inventory/main/vendors/datatables/unit_testing/templates/dom_data_two_headers.php page. Attackers can steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.

💻 Affected Systems

Products:

itsourcecode POS Point of Sale System

Versions: 1.0

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in a specific PHP file within the inventory module's datatables unit testing templates. Any installation with this file accessible is vulnerable.

📦 What is this software?

Point Of Sale System by Facebook Kimmymatillano

View all CVEs affecting Point Of Sale System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the POS system, manipulate sales data, steal customer payment information, or deploy ransomware on the network.

🟠

Likely Case

Attackers steal user session cookies to gain unauthorized access to the POS system, potentially manipulating inventory data or conducting fraudulent transactions.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payload would be neutralized, preventing script execution while maintaining normal system functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

The exploit has been publicly released and requires the attacker to craft malicious input that gets reflected in the page without proper sanitization. Attackers need to lure users to visit a crafted URL or submit malicious forms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified by vendor

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check vendor website for security updates. 2. If no patch is available, implement workarounds. 3. Consider upgrading to a newer version if available. 4. Apply input validation and output encoding to the vulnerable file.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation to reject malicious scripts and encode output to prevent XSS execution.

Edit /inventory/main/vendors/datatables/unit_testing/templates/dom_data_two_headers.php to sanitize user input using htmlspecialchars() or similar functions.

Access Restriction

all

Restrict access to the vulnerable file to authorized users only or disable the unit testing module if not needed.

Add authentication checks to the file or modify .htaccess to restrict access: Require valid-user

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious requests.
Disable or remove the vulnerable /inventory/main/vendors/datatables/unit_testing/templates/dom_data_two_headers.php file if not required for functionality.

🔍 How to Verify

Check if Vulnerable:

Test by submitting a simple XSS payload like <script>alert('XSS')</script> to the vulnerable parameter and check if it executes in the browser.

Check Version:

Check the system version in the admin panel or review the application's documentation/configuration files.

Verify Fix Applied:

After applying fixes, test with the same XSS payload to ensure it's properly sanitized and doesn't execute.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to /inventory/main/vendors/datatables/unit_testing/templates/dom_data_two_headers.php containing script tags or JavaScript code.
Multiple failed login attempts followed by successful access from unusual IP addresses.

Network Indicators:

HTTP requests with suspicious parameters containing JavaScript code or encoded payloads directed at the vulnerable endpoint.

SIEM Query:

source="web_server_logs" AND (url="/inventory/main/vendors/datatables/unit_testing/templates/dom_data_two_headers.php" AND (param CONTAINS "<script>" OR param CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-10064

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.6th percentile)

Published: September 7, 2025

Last Updated: September 10, 2025

🔗 References

https://github.com/AlphabugX/CVE-Report/blob/main/CVE-008.md Exploit,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.322987 Permissions Required,VDB Entry
https://vuldb.com/?id.322987 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.643946 Third Party Advisory,VDB Entry
https://github.com/AlphabugX/CVE-Report/blob/main/CVE-008.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10064, you might also want to check these: