CVE-2025-68147 Overview
CVE-2025-68147 is a stored Cross-Site Scripting (XSS) vulnerability in Open Source Point of Sale (opensourcepos), a PHP-based point-of-sale application built on the CodeIgniter framework. The flaw affects versions 3.4.0 through 3.4.1 and resides in the Return Policy configuration field within Store Configuration. The application fails to sanitize input before persisting it to the database and rendering it on transaction receipts. Attackers with administrative access can inject JavaScript payloads that execute in the browser of every user who views a receipt. The issue is tracked as [CWE-79] and was patched in version 3.4.2.
Critical Impact
Authenticated attackers can hijack sessions, exfiltrate sensitive transaction data, and perform unauthorized actions in the browser context of administrators and sales staff.
Affected Products
- Open Source Point of Sale (opensourcepos) version 3.4.0
- Open Source Point of Sale (opensourcepos) version 3.4.1
- All opensourcepos deployments using the unpatched Return Policy configuration field
Discovery Timeline
- 2025-12-17 - CVE-2025-68147 published to NVD
- 2025-12-18 - Last updated in NVD database
Technical Details for CVE-2025-68147
Vulnerability Analysis
The vulnerability stems from missing output encoding in the receipt template that renders the Return Policy value. An authenticated user with access to Store Configuration can save arbitrary HTML and JavaScript into the field. The stored payload is retrieved and inserted into receipt views without HTML escaping, causing the browser to parse and execute the attacker-controlled markup.
Because receipts are viewed by every user completing or reviewing a transaction, the payload propagates broadly across administrators, cashiers, and back-office staff. Successful exploitation can lead to session cookie theft, credential harvesting via injected forms, forced administrative actions through CSRF chaining, and pivoting into adjacent application features.
The scope change reflected in the CVSS vector indicates that exploitation crosses the privilege boundary from the configuration component into the rendering context used by all authenticated sessions.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The CodeIgniter esc() helper was not applied to the Return Policy variable inside the receipt template, so raw user-supplied content was concatenated directly into the rendered HTML. The fix in commit 22297a introduces esc() around the field on output.
Attack Vector
Exploitation requires an authenticated account with rights to modify Store Configuration. A rogue administrator can inject the payload directly. Alternatively, a lower-privileged or external attacker can chain the previously disclosed CSRF weakness in opensourcepos to coerce an administrator's browser into saving the malicious value. Once stored, no further attacker interaction is needed — the payload fires whenever any user views a receipt.
For technical detail and proof-of-concept material, see the GitHub PoC for CVE-2025-68147 and the GHSA-xgr7-7pvw-fpmh advisory.
Detection Methods for CVE-2025-68147
Indicators of Compromise
- HTML tags or <script> elements stored in the Return Policy field of the opensourcepos configuration table
- Receipt HTML responses containing unexpected <script>, onerror, onload, or javascript: attributes
- Outbound browser requests from staff workstations to unknown domains immediately after viewing receipts
- Unexpected session token usage or administrative actions originating from staff accounts that recently viewed transactions
Detection Strategies
- Query the application database for any non-plaintext content in the Return Policy configuration value, flagging records containing <, >, or &#
- Inspect web server access logs for POST requests to the Store Configuration endpoint containing encoded script payloads
- Deploy a web application firewall (WAF) rule that blocks script-like patterns submitted to configuration update endpoints
- Review running opensourcepos versions and confirm they are at 3.4.2 or later through software inventory tooling
Monitoring Recommendations
- Log all modifications to Store Configuration with the actor account, source IP, and submitted values
- Alert on administrative configuration changes occurring outside expected maintenance windows
- Monitor browser endpoints for anomalous JavaScript execution and outbound data transfers tied to point-of-sale workstations
How to Mitigate CVE-2025-68147
Immediate Actions Required
- Upgrade opensourcepos to version 3.4.2 or later, which applies esc() to the Return Policy field in the receipt template
- Audit the current Return Policy configuration value and remove any HTML or scripting content
- Rotate session cookies and force re-authentication for all administrative and sales accounts after patching
- Review administrative account activity for unexpected configuration changes since deployment of 3.4.0
Patch Information
The vendor released the fix in opensourcepos version 3.4.2 via commit 22297a. The patch wraps the Return Policy output in the CodeIgniter esc() function inside the receipt template, ensuring HTML entities are encoded before rendering. Refer to the vendor commit and the GHSA-xgr7-7pvw-fpmh security advisory for the authoritative remediation.
Workarounds
- Restrict the Return Policy field to plain text only and prohibit any HTML markup as an operational policy
- Limit Store Configuration access to a minimal set of trusted administrative accounts
- Enforce strong CSRF protections and require re-authentication before saving configuration changes to reduce chained exploitation
- Apply a Content Security Policy (CSP) that disallows inline script execution on receipt pages where feasible
# Upgrade opensourcepos to the patched release
git fetch --tags
git checkout v3.4.2
composer install --no-dev --optimize-autoloader
php spark migrate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
