CVE-2025-66921 – This Cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2025-66921?

CVE-2025-66921 has a CVSS score of 7.2 (HIGH). This Cross-site scripting (XSS) vulnerability in Open Source Point of Sale v3.4.1 allows remote attackers to inject malicious scripts via the 'name' parameter in the Create/Update Item(s) module. Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies or performing actions as authenticated users. All users running Open Source Point of Sale v3.4.1 are affected.

📋 TL;DR

This Cross-site scripting (XSS) vulnerability in Open Source Point of Sale v3.4.1 allows remote attackers to inject malicious scripts via the 'name' parameter in the Create/Update Item(s) module. Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies or performing actions as authenticated users. All users running Open Source Point of Sale v3.4.1 are affected.

💻 Affected Systems

Products:

Open Source Point of Sale

Versions: v3.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the web interface; requires user interaction with malicious content.

📦 What is this software?

Open Source Point Of Sale by Opensourcepos

View all CVEs affecting Open Source Point Of Sale →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator session cookies, gains full control of the POS system, modifies pricing, steals customer payment data, or installs backdoors.

🟠

Likely Case

Attacker steals user session cookies to gain unauthorized access, modifies inventory items, or redirects users to phishing sites.

🟢

If Mitigated

Script execution is blocked by Content Security Policy or input validation, limiting impact to minor UI disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the Create/Update Item(s) module; XSS payloads are simple to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/opensourcepos/opensourcepos

Restart Required: No

Instructions:

1. Monitor the official GitHub repository for security updates. 2. Apply any available patches immediately. 3. Consider upgrading to a newer version if patched version is released.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to sanitize the 'name' parameter, removing or encoding HTML/JavaScript characters.

Content Security Policy (CSP)

all

Deploy a strict CSP header to block inline scripts and restrict script sources to trusted domains only.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Restrict access to the POS system to trusted networks only using firewalls or VPNs.
Implement web application firewall (WAF) rules to block XSS payloads in the 'name' parameter.

🔍 How to Verify

Check if Vulnerable:

Test by entering a basic XSS payload like <script>alert('XSS')</script> in the 'name' field of the Create/Update Item(s) module and check if it executes.

Check Version:

Check the version in the admin panel or via the application's about/help section.

Verify Fix Applied:

After applying fixes, retest with XSS payloads to ensure they are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual length or special characters in 'name' parameter logs
Multiple failed login attempts followed by item creation/modification

Network Indicators:

HTTP requests with script tags or JavaScript in the 'name' parameter
Unusual outbound connections from the POS server

SIEM Query:

source="web_logs" AND (name="*<script>*" OR name="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-66921

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

EPSS Score: 0.21% exploit probability (42.8th percentile)

Published: December 17, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md Exploit,Third Party Advisory
https://github.com/opensourcepos/opensourcepos Product
https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66921, you might also want to check these: