CVE-2025-57204
📋 TL;DR
Stocky POS with Inventory Management & HRM (ui-lib) version 5.0 has a stored XSS vulnerability in the Products module that allows authenticated attackers to inject malicious JavaScript into product names. When other users view affected product pages, the JavaScript executes in their browsers, potentially enabling session hijacking, data theft, or privilege escalation. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- Stocky POS with Inventory Management & HRM (ui-lib)
📦 What is this software?
Stocky by Ui Lib
⚠️ Risk & Real-World Impact
Worst Case
Administrative account takeover leading to complete system compromise, data exfiltration of sensitive business information, and lateral movement within the network.
Likely Case
Session hijacking of regular users, privilege escalation to gain administrative access, and data theft from user sessions.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting user interface elements without data compromise.
🎯 Exploit Status
Requires authenticated access to the Products module. Exploitation involves crafting XSS payloads in product names.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - check vendor for updated version
Vendor Advisory: https://codecanyon.net/item/stockyultimate-inventory-management-system-with-pos/31445124
Restart Required: No
Instructions:
1. Check vendor website for updated version. 2. Backup current installation. 3. Apply vendor-provided patch or upgrade to fixed version. 4. Test functionality after patching.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize product name parameters
Implement input validation in product-creation endpoint to strip/escape HTML/JS characters
Content Security Policy
allImplement restrictive CSP headers to limit script execution
Add Content-Security-Policy header with script-src 'self'
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in product names
- Disable product creation for non-essential users and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Test by creating a product with XSS payload in name field (e.g., <script>alert('XSS')</script>) and check if it executes when viewing the productCheck Version:
Check application version in admin panel or about pageVerify Fix Applied:
Attempt the same XSS payload after patching - it should be properly sanitized and not execute📡 Detection & Monitoring
Log Indicators:
- Unusual product names containing script tags or JavaScript code
- Multiple product creation attempts with similar payloads
Network Indicators:
- POST requests to product-creation endpoint with suspicious payloads
SIEM Query:
web_requests WHERE url_path CONTAINS 'product-creation' AND request_body CONTAINS '<script' OR request_body CONTAINS 'javascript:'