CVE-2025-68658 (CNNVD-202601-1961)
中文标题:
Open Source Point of Sale 跨站脚本漏洞
英文标题:
Open Source Point of Sale (opensourcepos) Stored XSS in Configuration (Information) – Company Name field
漏洞描述
中文描述:
Open Source Point of Sale是opensourcepos开源的一个基于网络的销售点系统。 Open Source Point of Sale 3.4.0版本和3.4.1版本存在跨站脚本漏洞,该漏洞源于配置功能存在存储型跨站脚本,可能导致经过身份验证的用户在更新配置信息时向公司名字段注入恶意JavaScript有效载荷。
英文描述:
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission “Configuration: Change OSPOS's Configuration” can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The malicious payload is stored and later triggered when a user accesses /sales/complete. First select Sales, and choose New Item to create an item, then click on Completed . Due to insufficient input validation and output encoding, the payload is rendered and executed in the user’s browser, resulting in a stored XSS vulnerability. This vulnerability is fixed in 3.4.2.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| opensourcepos | opensourcepos | < 3.4.2 | - | - |
cpe:2.3:a:opensourcepos:opensourcepos:<_3.4.2:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-68658 |
2026-01-14 02:22:03 | 2026-01-14 06:07:47 |
| NVD | nvd_CVE-2025-68658 |
2026-01-14 03:00:13 | 2026-01-14 06:14:35 |
| CNNVD | cnnvd_CNNVD-202601-1961 |
2026-01-15 01:52:31 | 2026-01-15 01:53:14 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 跨站脚本
- cnnvd_id: 未提取 -> CNNVD-202601-1961
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']