EUVD-2026-19939
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3.
Analysis
Stored XSS in Open Source Point of Sale versions prior to 3.4.3 allows authenticated users with customer management permissions to inject malicious JavaScript into customer name fields, which executes when any user views the Daily Sales page. The vulnerability stems from the bootstrap-table column configuration explicitly disabling HTML escaping (escape: false) for the customer_name column, enabling arbitrary script execution with cross-site impact. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today