Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos


Reported on

Dec 18th 2021


Reflected Cross site scripting vulnerability in barcode field and name field in itemkits category

Proof of Concept

  1. Login to the demo account

  2. Go to item kits , edit any item and add payload in barcode field and click save

  3. payload "><iMg SrC="x" oNeRRor="alert(1);">

  4. poc 1

  5. poc 2


This vulnerability is capable of stolen the user cookie

We are processing your report and will contact the opensourcepos team within 24 hours. 5 months ago
Asura-N modified the report
5 months ago
We have contacted a member of the opensourcepos team and are waiting to hear back 5 months ago
We have sent a follow up to the opensourcepos team. We will try again in 7 days. 5 months ago
5 months ago

Can you check if this stil works on we have added some xss mitigations in that version and will release this soon.

5 months ago

I tried this on dev and it does not work

jekkos validated this vulnerability 5 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
5 months ago


hi @jekkos it is still working with same payload on both barcode and name fields

Thanks @Asura-N

a month ago

I made a fix for this in master branch.

a month ago

jekkos confirmed that a fix has been merged on 9331d8 a month ago
jekkos has been awarded the fix bounty
to join this conversation