CVE-2025-70091 in OpenSourcePOS
Summary
by MITRE • 02/13/2026
A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Phone Number parameter.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/14/2026
The cross-site scripting vulnerability identified as CVE-2025-70091 resides within the Customers function of OpenSourcePOS v3.4.1, representing a critical security flaw that undermines the application's input validation mechanisms. This vulnerability specifically targets the Phone Number parameter, which fails to properly sanitize user-supplied data before rendering it within the web interface. The flaw enables attackers to inject malicious scripts that execute in the context of other users' browsers, potentially compromising the entire application ecosystem.
This vulnerability manifests as a classic reflected cross-site scripting attack where malicious payloads are injected through the Phone Number field and subsequently executed when the affected page renders the customer data. The attack vector exploits the lack of proper input sanitization and output encoding, allowing attackers to bypass the application's security controls. According to CWE-79, this vulnerability directly maps to the common weakness of insufficient input validation, where user-supplied data is not adequately filtered before being incorporated into dynamically generated web content. The vulnerability represents a significant risk to user privacy and application integrity.
The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform session hijacking, steal sensitive customer information, manipulate data within the application, or redirect users to malicious websites. Attackers could exploit this flaw to gain unauthorized access to customer records, modify billing information, or even escalate privileges within the system. The reflected nature of this XSS vulnerability means that the malicious payload must be delivered to the victim through a crafted link or email, making it particularly dangerous in social engineering campaigns. This vulnerability aligns with ATT&CK technique T1566, specifically focusing on the initial access phase through malicious inputs.
Mitigation strategies for CVE-2025-70091 should prioritize immediate implementation of proper input validation and output encoding mechanisms within the Customers function. The application should sanitize all user inputs, particularly the Phone Number parameter, by implementing strict validation rules that reject or escape potentially harmful characters. Organizations should deploy content security policies to prevent unauthorized script execution and implement proper HTTP headers to enhance security. The recommended approach includes implementing a whitelist-based input validation system that only accepts known good formats for phone numbers while escaping any special characters that could be interpreted as HTML or JavaScript. Additionally, regular security audits and input validation testing should be conducted to prevent similar vulnerabilities from emerging in other application components. The fix should also include updating the application to a patched version that properly handles user inputs and implements comprehensive sanitization measures to prevent XSS attacks across all input fields.