Cross-Site Scripting (XSS) in UltimatePOS

Posted date 31/07/2025
Identificador
INCIBE-2025-0415
Importance
3 - Medium
Affected Resources

UltimatePOS, v6.4.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting UltimatePOS by UltimateFosters, a point of sale and ERP system. The vulnerability was discovered by Andrea Intilangelo (acme).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2025-40980: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

The vulnerability has been fixed by UltimateFosters team in version 6.7.

Detail

CVE-2025-40980: A Stored Cross Site Scripting vulnerability has been found in UltimatePOS by UltimateFosters. This vulnerability is due to the lack of proper validation of user inputs via ‘/products/<PRODUCT_ID>/edit’, affecting to ‘name’ parameter via POST. The vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her session cookies details.

CVE
Explotación
No
Fabricante
Identificador CVE
CVE-2025-40980
Severidad
Media
References list
Etiquetas