CVE-2025-67263 – Abacre Retail Point of Sale 14.0.0.396 has a st... (How to Fix)

Q: What is the severity of CVE-2025-67263?

CVE-2025-67263 has a CVSS score of 6.1 (MEDIUM). Abacre Retail Point of Sale 14.0.0.396 has a stored XSS vulnerability in the Clients module where malicious scripts can be injected into Name and Surname fields. This allows attackers to execute arbitrary JavaScript in the context of legitimate users when they view client data. All users of this specific version are affected.

📋 TL;DR

Abacre Retail Point of Sale 14.0.0.396 has a stored XSS vulnerability in the Clients module where malicious scripts can be injected into Name and Surname fields. This allows attackers to execute arbitrary JavaScript in the context of legitimate users when they view client data. All users of this specific version are affected.

💻 Affected Systems

Products:

Abacre Retail Point of Sale

Versions: 14.0.0.396

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to the Clients module with appropriate permissions to create/modify client records.

📦 What is this software?

Retail Point Of Sale by Abacre

View all CVEs affecting Retail Point Of Sale →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions as authenticated users, or install malware on client systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the application interface when users view client records.

🟢

If Mitigated

Limited to UI disruption or minor data manipulation if input validation blocks most payloads.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to create/modify client records. The vulnerability is in stored data that gets rendered without sanitization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.abacre.com/retailpointofsale/

Restart Required: No

Instructions:

No official patch available. Monitor vendor website for updates and apply when released.

🔧 Temporary Workarounds

Input Validation at Application Layer

all

Implement server-side input validation to sanitize Name and Surname fields before storage.

Output Encoding

all

Apply proper HTML encoding when rendering client data in web interfaces.

🧯 If You Can't Patch

Restrict access to the Clients module to only trusted users with minimal necessary permissions.
Implement a web application firewall (WAF) with XSS protection rules to filter malicious payloads.

🔍 How to Verify

Check if Vulnerable:

Test by entering <script>alert('XSS')</script> in Name or Surname fields and check if script executes when viewing client data.

Check Version:

Check Help > About in the application interface for version information.

Verify Fix Applied:

Verify that script tags and other HTML/JavaScript payloads are properly sanitized or encoded when displayed.

📡 Detection & Monitoring

Log Indicators:

Unusual client record modifications with script-like content in name fields
Multiple failed login attempts followed by client data changes

Network Indicators:

Outbound connections to suspicious domains from POS systems after viewing client data

SIEM Query:

source="pos_logs" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-67263

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.7th percentile)

Published: January 20, 2026

Last Updated: January 30, 2026

🔗 References

https://packetstorm.news/files/id/214045/ Third Party Advisory
https://www.abacre.com/retailpointofsale/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67263, you might also want to check these: