PHP Point of Sale EUVD-2025-209543

| CVE-2025-41011 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 INCIBE GHSA-29vm-h87p-hcp4
XSS PHP Php Point Of Sale
5.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 21, 2026 - 16:32 vuln.today
CVSS changed
Apr 21, 2026 - 16:22 NVD
5.1 (MEDIUM)

DescriptionNVD

HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters.

AnalysisAI

HTML injection vulnerability in PHP Point of Sale v19.4 allows unauthenticated remote attackers to render arbitrary HTML in victims' browsers via the '/reports/generate/specific_customer' endpoint, affecting the 'start_date_formatted' and 'end_date_formatted' parameters. User interaction is required (victim must visit a crafted link), limiting impact to stored/reflected XSS scenarios. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

PHP Point of Sale v19.4 fails to properly sanitize or validate user-supplied input in the date formatting parameters of the customer report generation endpoint. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where unsanitized user input is directly rendered into HTML responses without encoding or validation. This allows attackers to inject malicious HTML/JavaScript payloads through the 'start_date_formatted' and 'end_date_formatted' query parameters, which are processed by the PHP application and returned in the victim's browser context without proper output encoding.

RemediationAI

Immediate remediation requires upgrading PHP Point of Sale to a patched version; however, no specific fix version has been identified in available vendor advisories at the time of analysis. Contact the vendor (php-point-of-sale project/developers) to obtain a patched release. As an interim compensating control, implement input validation and output encoding: sanitize the 'start_date_formatted' and 'end_date_formatted' parameters using a whitelist of allowed date formats (e.g., YYYY-MM-DD only) and apply HTML entity encoding (htmlspecialchars with ENT_QUOTES flag in PHP) to all output rendered in the '/reports/generate/specific_customer' response. Additionally, implement Content Security Policy (CSP) headers with script-src 'self' to mitigate stored/reflected XSS impact. Web Application Firewall rules blocking script tags and event handlers in query parameters provide temporary protection. Monitor INCIBE and the PHP Point of Sale project repository for patched version announcements.

Share

EUVD-2025-209543 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy