Stored Cross-Site Scripting (XSS) in Pharmacy POS PHP Script
Pharmacy POS PHP Script.
INCIBE has coordinated the publication of a medium severity vulnerability affecting Pharmacy POS PHP Script, a solution to streamline pharmacy operations and improve customer service. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability type CWE:
- CVE-2025-40724: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The vulnerability has been fixed by the Pharmacy POS PHP Script team in the latest software release.
CVE-2025-40724: stored Cross-Site Scripting (XSS) vulnerability in Pharmacy POS PHP Script. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the u_medicine_name parameter in /edit_medicine.php. This vulnerability can be exploited to steal sensitive user data such as session cookies or to perform actions on behalf of the user.
