CVE-2025-70091: OpenSourcePOS XSS Vulnerability

CVE-2025-70091 Overview

CVE-2025-70091 is a cross-site scripting (XSS) vulnerability in the Customers function of Open Source Point of Sale (opensourcepos) version 3.4.1. Attackers can inject crafted payloads into the Phone Number parameter to execute arbitrary web scripts or HTML in the context of other users' browser sessions. The flaw is categorized under [CWE-79] Improper Neutralization of Input During Web Page Generation. Exploitation requires low-privileged authenticated access and user interaction, but a successful attack changes scope and can compromise session data, deliver malicious content, or pivot to administrative functions within the point-of-sale application.

Critical Impact

Authenticated attackers can inject persistent JavaScript through the customer Phone Number field, enabling session theft, credential capture, and unauthorized actions against staff users who view affected customer records.

Affected Products

• Open Source Point of Sale (opensourcepos) version 3.4.1
• Customers module — Phone Number parameter
• Deployments using CPE cpe:2.3:a:opensourcepos:open_source_point_of_sale:3.4.1

Discovery Timeline

• 2026-02-13 - CVE-2025-70091 published to NVD
• 2026-02-17 - Last updated in NVD database

Technical Details for CVE-2025-70091

Vulnerability Analysis

The Customers function in OpenSourcePOS v3.4.1 accepts user-supplied input for the Phone Number field without performing adequate output encoding or input sanitization. When the stored value is later rendered back to staff users viewing the customer list or customer detail views, the browser interprets injected markup as executable content. Because the application is a point-of-sale platform handling sales, payments, and customer records, script execution in a cashier or administrator session can be leveraged to manipulate transactions, exfiltrate data, or escalate access.

The attack changes the security scope, meaning code executes in the context of a more privileged component than the one originally compromised. This typically indicates that injected script runs against the broader application interface used by higher-privileged users.

Root Cause

The root cause is missing contextual output encoding when rendering the Phone Number field within HTML responses. The Customers module trusts stored values from the database and writes them directly into the response body without escaping characters such as <, >, ", and '. Input validation on the Phone Number field also fails to reject non-numeric or markup-bearing content.

Attack Vector

An authenticated user with permission to create or edit customers submits a crafted Phone Number value containing JavaScript markup. The payload is stored in the database and rendered later when any staff user opens the customer list or record. Exploitation requires user interaction in the form of viewing the malicious record. Refer to the GitHub CVE Research Document for technical details and proof-of-concept payload structure.

// No verified exploit code is published. The vulnerability manifests when
// the Customers view renders the stored Phone Number value into HTML
// without contextual escaping, allowing arbitrary script execution
// against any staff user who loads the customer record.

Detection Methods for CVE-2025-70091

Indicators of Compromise

• Customer records containing HTML tags, <script>, javascript: URIs, or event handler attributes such as onerror= or onload= in the Phone Number column
• Outbound HTTP requests from cashier or admin browsers to unknown domains immediately after viewing a customer record
• Unexpected session token transmissions or cookie access events originating from the OpenSourcePOS web interface

Detection Strategies

• Query the customers database table for Phone Number values that do not match expected numeric or phone-format patterns
• Inspect web server access logs for POST requests to customer create or update endpoints containing URL-encoded <, >, or script substrings
• Review browser Content Security Policy (CSP) violation reports if CSP is enabled in front of the application

Monitoring Recommendations

• Enable detailed audit logging for all create, update, and view operations on the Customers module
• Forward application and web server logs to a centralized log platform and alert on anomalous payloads submitted to the Phone Number parameter
• Monitor staff workstation browsers for unexpected script execution or outbound connections originating from the OpenSourcePOS origin

How to Mitigate CVE-2025-70091

Immediate Actions Required

• Restrict access to the Customers module to trusted staff accounts only and audit existing user permissions
• Sanitize existing customer records by stripping HTML and non-phone characters from the Phone Number column
• Deploy a web application firewall (WAF) rule that blocks HTML markup and JavaScript payloads in form fields submitted to customer endpoints

Patch Information

No vendor patch is referenced in the published CVE record. Monitor the OpenSourcePOS project homepage and the upstream project repository for security updates. Until an official fix is released, apply the workarounds below and consider upgrading once a version newer than 3.4.1 with output encoding fixes for the Customers module becomes available.

Workarounds

• Implement server-side input validation that restricts the Phone Number field to digits, spaces, and common separators such as +, -, (, and )
• Apply contextual HTML output encoding in templates that render customer fields, escaping <, >, ", ', and &
• Deploy a strict Content Security Policy that disallows inline scripts and untrusted script sources for the OpenSourcePOS web interface
• Limit customer create and edit privileges to a minimal set of trusted accounts

# Example WAF rule (ModSecurity) blocking markup in customer fields
SecRule ARGS:"first_name|last_name|phone_number|email" \
    "@rx (?i)(<script|javascript:|onerror=|onload=|<iframe)" \
    "id:1070091,phase:2,deny,status:403,\
     msg:'CVE-2025-70091 OpenSourcePOS Customers XSS attempt'"