Cross-site Scripting (XSS) - Reflected in opensourcepos/opensourcepos
Dec 18th 2021
Reflected Cross site scripting vulnerability in barcode field and name field in itemkits category
Proof of Concept
Login to the demo account
Go to item kits , edit any item and add payload in barcode field and click save
payload "><iMg SrC="x" oNeRRor="alert(1);">
poc 1 https://ibb.co/ZJZLKdQ
poc 2 https://ibb.co/D4x2jSf
This vulnerability is capable of stolen the user cookie
Can you check if this stil works on dev.opensourcepos.org we have added some xss mitigations in that version and will release this soon.
I tried this on dev and it does not work
hi @jekkos it is still working with same payload on https://dev.opensourcepos.org/item_kits both barcode and name fields
I made a fix for this in master branch.