CVE-2025-10067 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-10067?

CVE-2025-10067 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to inject malicious scripts into the itsourcecode POS Point of Sale System 1.0 through manipulation of the 'scripts' argument in the empty_table.php file. This enables cross-site scripting attacks that can steal session cookies, redirect users, or deface the application. Organizations using this specific POS system version are affected.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the itsourcecode POS Point of Sale System 1.0 through manipulation of the 'scripts' argument in the empty_table.php file. This enables cross-site scripting attacks that can steal session cookies, redirect users, or deface the application. Organizations using this specific POS system version are affected.

💻 Affected Systems

Products:

itsourcecode POS Point of Sale System

Versions: 1.0

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Point Of Sale System by Facebook Kimmymatillano

View all CVEs affecting Point Of Sale System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full system access, compromise customer payment data, and install persistent backdoors.

🟠

Likely Case

Attackers hijack user sessions to perform unauthorized transactions, steal customer information, or deface the POS interface.

🟢

If Mitigated

With proper input validation and output encoding, the attack fails to execute malicious scripts, limiting impact to attempted exploitation logs.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require attacker access to the internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit is publicly documented and can be executed remotely without authentication, making it relatively easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

1. Check vendor website for security updates. 2. If patch available, download and apply following vendor instructions. 3. Test functionality after patching.

🔧 Temporary Workarounds

Input Validation Filter

PHP

Implement server-side input validation to sanitize the 'scripts' parameter before processing.

Implement PHP filter_var() or htmlspecialchars() on scripts parameter

Web Application Firewall

all

Deploy WAF with XSS protection rules to block malicious script injection attempts.

🧯 If You Can't Patch

Implement Content Security Policy headers to restrict script execution sources
Disable or restrict access to the vulnerable /inventory/main/vendors/datatables/unit_testing/templates/ directory

🔍 How to Verify

Check if Vulnerable:

Test by injecting a simple script payload into the 'scripts' parameter and checking if it executes in browser.

Check Version:

Check application version in admin panel or readme files

Verify Fix Applied:

Attempt the same XSS payload after remediation; it should be properly encoded and not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to empty_table.php with script tags
Multiple failed XSS attempts in web logs

Network Indicators:

HTTP requests containing <script> tags in parameters
Unusual traffic patterns to the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="*empty_table.php*" AND (param="*<script>*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-10067

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.6th percentile)

Published: September 7, 2025

Last Updated: September 9, 2025

🔗 References

https://github.com/AlphabugX/CVE-Report/blob/main/CVE-011.md Exploit,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.322990 Permissions Required,VDB Entry
https://vuldb.com/?id.322990 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.643955 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10067, you might also want to check these: