📄 UltimatePOS 4.8 Cross Site Scripting

# CVE-2025-60503 — Stored Cross-Site Scripting (XSS) in UltimatePOS (UltimateFosters) v4.8
    
    **Publication date:** 2025-10-30  
    **CVE ID:** CVE-2025-60503 *(RESERVED)*  
    **Researcher:** Vivien Lebas  
    **Vendor:** UltimateFosters  
    **Product:** [UltimatePOS](https://codecanyon.net/item/ultimate-pos-stock-management-point-of-sale-application/21216332)  
    **Affected version:** 4.8  
    **Vulnerability type:** Stored Cross-Site Scripting (XSS)  
    **Severity:** High  
    
    ---
    
    ## Overview
    
    A **Stored XSS** vulnerability exists in the **UltimatePOS** admin panel (v4.8).  
    The `Reference No.` field in the **Purchases** module accepts unsanitized user input, which is later rendered without proper escaping in the **Reports → Activity Log** page.
    
    This allows an attacker with admin access to execute arbitrary JavaScript in the context of another administrator’s browser session.
    
    ---
    
    ## Affected components
    
    Purchases → List Purchases → + Add
    Reports → Activity Log
    
    
    ---
    
    ## Technical details
    
    When adding a new purchase, the `Reference No.` field value is stored directly and then reflected in the activity log view.  
    Because the output is not escaped, any embedded HTML/JavaScript executes when the log is viewed.
    
    ---
    
    ##  Proof of Concept (PoC)
    
    > ⚠️ **For testing purposes only** – do not use this PoC on production systems.
    
    1. Log in as an administrator  
    2. Navigate to:  
    
    Purchases → List Purchases → + Add
    
    3. In the **Reference No.** field, insert:
    
    `<script>alert('XSS')</script>`
    
    Fill all required fields, then click Save
    Navigate to:
    Reports → Activity Log
    The alert box appears — JavaScript executed successfully (stored XSS confirmed)
    
    Impact
    Impact	Description
    Code execution	Arbitrary JS runs in the admin browser context
    Session hijacking	Attacker may steal session tokens
    Data theft	Exfiltration of sensitive admin data possible
    Phishing	Fake UI overlays or redirection attacks possible
    Mitigation & Recommendations
    
    For vendor:
    
        Sanitize and validate all user input (especially Reference No.)
    
        Encode output before rendering dynamic values in HTML
    
        Enforce Content Security Policy (CSP) headers
    
        Secure cookies (HttpOnly, SameSite=strict)
    
    For users:
    
        Restrict admin access to trusted users
    
        Avoid shared admin accounts
    
        Monitor activity logs for suspicious payloads
    
        Apply patches immediately once vendor releases them
    
    
    
    
    Credits
    
        Researcher: Vivien Lebas
    
    CVE ID: CVE-2025-60503
    
    Product: UltimatePOS by UltimateFosters
    References
    
        Vendor: https://ultimatefosters.com
    
    Product listing: UltimatePOS (CodeCanyon #21216332)
    
    CVE entry (pending): CVE-2025-60503 — RESERVED
    
    Note: This vulnerability differs from CVE-2025-40980, which affects a different component of the same product.