Cross-Site Scripting (XSS) in UltimatePOS
UltimatePOS, v6.4.
INCIBE has coordinated the publication of a medium severity vulnerability affecting UltimatePOS by UltimateFosters, a point of sale and ERP system. The vulnerability was discovered by Andrea Intilangelo (acme).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2025-40980: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The vulnerability has been fixed by UltimateFosters team in version 6.7.
CVE-2025-40980: A Stored Cross Site Scripting vulnerability has been found in UltimatePOS by UltimateFosters. This vulnerability is due to the lack of proper validation of user inputs via ‘/products/<PRODUCT_ID>/edit’, affecting to ‘name’ parameter via POST. The vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her session cookies details.
