Vulners
Lucene search
📄 UltimatePOS 4.8 Cross Site Scripting
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Exploit for CVE-2025-60503 | 30 Oct 202516:31 | – | githubexploit |
 | CVE-2025-60503 | 30 Oct 202515:31 | – | circl |
 | Ultimate Fosters UltimatePOS 安全漏洞 | 3 Nov 202500:00 | – | cnnvd |
 | CVE-2025-60503 | 3 Nov 202500:00 | – | cve |
 | CVE-2025-60503 | 3 Nov 202500:00 | – | cvelist |
 | EUVD-2025-37504 | 3 Nov 202518:31 | – | euvd |
 | CVE-2025-60503 | 3 Nov 202516:15 | – | nvd |
 | CVE-2025-60503 | 3 Nov 202516:15 | – | osv |
 | PT-2025-44782 | 3 Nov 202500:00 | – | ptsecurity |
 | CVE-2025-60503 | 4 Nov 202500:53 | – | redhatcve |
10
# CVE-2025-60503 — Stored Cross-Site Scripting (XSS) in UltimatePOS (UltimateFosters) v4.8
**Publication date:** 2025-10-30
**CVE ID:** CVE-2025-60503 *(RESERVED)*
**Researcher:** Vivien Lebas
**Vendor:** UltimateFosters
**Product:** [UltimatePOS](https://codecanyon.net/item/ultimate-pos-stock-management-point-of-sale-application/21216332)
**Affected version:** 4.8
**Vulnerability type:** Stored Cross-Site Scripting (XSS)
**Severity:** High
---
## Overview
A **Stored XSS** vulnerability exists in the **UltimatePOS** admin panel (v4.8).
The `Reference No.` field in the **Purchases** module accepts unsanitized user input, which is later rendered without proper escaping in the **Reports → Activity Log** page.
This allows an attacker with admin access to execute arbitrary JavaScript in the context of another administrator’s browser session.
---
## Affected components
Purchases → List Purchases → + Add
Reports → Activity Log
---
## Technical details
When adding a new purchase, the `Reference No.` field value is stored directly and then reflected in the activity log view.
Because the output is not escaped, any embedded HTML/JavaScript executes when the log is viewed.
---
## Proof of Concept (PoC)
> ⚠️ **For testing purposes only** – do not use this PoC on production systems.
1. Log in as an administrator
2. Navigate to:
Purchases → List Purchases → + Add
3. In the **Reference No.** field, insert:
`<script>alert('XSS')</script>`
Fill all required fields, then click Save
Navigate to:
Reports → Activity Log
The alert box appears — JavaScript executed successfully (stored XSS confirmed)
Impact
Impact Description
Code execution Arbitrary JS runs in the admin browser context
Session hijacking Attacker may steal session tokens
Data theft Exfiltration of sensitive admin data possible
Phishing Fake UI overlays or redirection attacks possible
Mitigation & Recommendations
For vendor:
Sanitize and validate all user input (especially Reference No.)
Encode output before rendering dynamic values in HTML
Enforce Content Security Policy (CSP) headers
Secure cookies (HttpOnly, SameSite=strict)
For users:
Restrict admin access to trusted users
Avoid shared admin accounts
Monitor activity logs for suspicious payloads
Apply patches immediately once vendor releases them
Credits
Researcher: Vivien Lebas
CVE ID: CVE-2025-60503
Product: UltimatePOS by UltimateFosters
References
Vendor: https://ultimatefosters.com
Product listing: UltimatePOS (CodeCanyon #21216332)
CVE entry (pending): CVE-2025-60503 — RESERVED
Note: This vulnerability differs from CVE-2025-40980, which affects a different component of the same product.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 May 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3
CVSS 3.18.7
EPSS0.00334
SSVC