CVE-2025-68147 – A stored XSS vulnerability in Open Source Point... (How to Fix)

Q: What is the severity of CVE-2025-68147?

CVE-2025-68147 has a CVSS score of 8.1 (HIGH). A stored XSS vulnerability in Open Source Point of Sale allows attackers with administrative access to inject malicious JavaScript into the Return Policy field. This code executes when users view receipts, potentially compromising their sessions and data. All users viewing receipts are affected, including administrators and sales staff.

📋 TL;DR

A stored XSS vulnerability in Open Source Point of Sale allows attackers with administrative access to inject malicious JavaScript into the Return Policy field. This code executes when users view receipts, potentially compromising their sessions and data. All users viewing receipts are affected, including administrators and sales staff.

💻 Affected Systems

Products:

Open Source Point of Sale (opensourcepos)

Versions: 3.4.0 to 3.4.1

Operating Systems: Any OS running PHP web applications

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to Store Configuration, which could be obtained via separate CSRF vulnerability or compromised credentials.

📦 What is this software?

Open Source Point Of Sale by Opensourcepos

View all CVEs affecting Open Source Point Of Sale →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all user sessions, theft of sensitive financial data, unauthorized administrative actions, and potential lateral movement within the system.

🟠

Likely Case

Session hijacking of sales staff or administrators, theft of credentials and transaction data, and unauthorized modifications to system settings.

🟢

If Mitigated

Limited impact with proper input validation and output escaping, potentially only affecting users who view receipts with malicious content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative privileges but is trivial once access is obtained. Public proof-of-concept exists on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.2

Vendor Advisory: https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xgr7-7pvw-fpmh

Restart Required: No

Instructions:

1. Backup your current installation and database. 2. Download version 3.4.2 from the official repository. 3. Replace all files with the patched version. 4. Verify the fix by checking that the esc() function is used in receipt templates.

🔧 Temporary Workarounds

Manual Input Sanitization

all

Ensure the Return Policy field contains only plain text without any HTML tags or JavaScript

🧯 If You Can't Patch

Restrict administrative access to Store Configuration to only trusted personnel
Implement web application firewall rules to block XSS payloads in Return Policy field

🔍 How to Verify

Check if Vulnerable:

Check if version is between 3.4.0 and 3.4.1, and examine if Return Policy field accepts HTML/JavaScript input without sanitization

Check Version:

Check application/controllers/Home.php or application/config/constants.php for version information

Verify Fix Applied:

Verify version is 3.4.2 or higher, and check that receipt templates use esc() function for Return Policy output

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to Store Configuration settings
Multiple failed login attempts followed by configuration changes

Network Indicators:

HTTP requests containing JavaScript payloads in Return Policy parameter
Unusual outbound connections from receipt viewing sessions

SIEM Query:

source="web_logs" AND (uri="/config/store" OR parameter="return_policy") AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-68147

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (13.4th percentile)

Published: December 17, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/Nixon-H/CVE-2025-68147-OSPOS-Stored-XSS Exploit,Third Party Advisory
https://github.com/opensourcepos/opensourcepos/commit/22297a Patch
https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xgr7-7pvw-fpmh Exploit,Vendor Advisory
https://github.com/Nixon-H/CVE-2025-68147-OSPOS-Stored-XSS Exploit,Third Party Advisory
https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xgr7-7pvw-fpmh Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68147, you might also want to check these: