CVE-2025-67263 in Retail Point of Sale
Summary
by MITRE • 01/20/2026
Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/20/2026
The vulnerability identified as CVE-2025-67263 represents a critical stored cross-site scripting flaw within the Abacre Retail Point of Sale version 14.0.0.396 application. This security weakness specifically manifests within the Clients module where user-provided data is persistently stored without adequate sanitization measures. The affected fields include both Name and Surname parameters that serve as entry points for malicious input injection. When legitimate users interact with the application's client management interface, they inadvertently execute the malicious code embedded within these stored fields, creating a persistent threat vector that affects all application users.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the application's data handling pipeline. The system accepts user-supplied HTML and script content without proper sanitization, allowing attackers to store malicious payloads directly within the database. This stored data becomes part of the application's normal response cycle when client information is displayed, thereby executing the malicious script within the context of other users' browser sessions. The vulnerability operates at the intersection of data persistence and client-side execution, creating a scenario where a single compromised input field can propagate malicious code across multiple user interactions.
The operational impact of this stored XSS vulnerability extends beyond simple data corruption or display manipulation. Attackers can leverage this weakness to hijack user sessions, steal sensitive information, perform unauthorized transactions, or redirect users to malicious websites. The persistence of the vulnerability means that even after the initial injection, the malicious code continues to execute whenever affected client data is viewed, creating an ongoing threat vector. This particular weakness affects the retail point of sale environment where user trust is paramount, potentially compromising customer data and financial transaction integrity. The vulnerability directly violates industry standards such as CWE-79 which specifically addresses cross-site scripting flaws and aligns with ATT&CK technique T1531 focusing on credential access through malicious code execution.
Mitigation strategies for CVE-2025-67263 should prioritize immediate implementation of proper input sanitization and output encoding mechanisms throughout the application's data handling processes. The application must enforce strict validation of all user-supplied input, particularly within the Clients module, ensuring that HTML and script content is either rejected or properly escaped before storage. Organizations should implement Content Security Policy headers to limit script execution contexts and consider implementing a web application firewall to detect and block suspicious input patterns. Regular security testing including dynamic application security testing and manual penetration testing should be conducted to identify similar vulnerabilities within the application's codebase. Additionally, comprehensive user education regarding the risks of entering untrusted content into application fields remains essential for maintaining overall security posture. The remediation process should include thorough code review of all data entry points and implementation of robust sanitization libraries to prevent similar vulnerabilities from emerging in future application versions.