Plataforma
php
Componente
codeigniter
Corrigido em
3.4.4
CVE-2026-32712 describes a Stored Cross-Site Scripting (XSS) vulnerability within the Open Source Point of Sale application, built using the CodeIgniter framework. This flaw allows an attacker to inject malicious JavaScript code into the customer_name field of the Daily Sales management table. The vulnerability impacts versions 1.0.0 through 3.4.2 of the application, and a fix is available in version 3.4.3.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the browsers of users who view the Daily Sales page. This could lead to various malicious actions, including session hijacking, redirection to phishing sites, defacement of the application's interface, and theft of sensitive information like customer data or financial details. The impact is amplified if the Daily Sales page is frequently accessed by multiple users with different privilege levels. The attacker requires customer management permissions to inject the malicious code, but once injected, it affects all users viewing the affected page.
This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (POC) code has been released as of the disclosure date. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using the Open Source Point of Sale application with versions 1.0.0 through 3.4.2, particularly those with customer-facing interfaces and limited input validation, are at risk. Shared hosting environments where multiple applications share the same server resources are also at increased risk, as a compromised application could potentially impact other tenants.
• php / web:
grep -r "escape: false" /path/to/opensrcpos/application/config/bootstrap.php• generic web:
curl -I http://your-pos-instance/daily_sales | grep -i content-security-policy• generic web:
Check access logs for unusual POST requests to the Daily Sales page with potentially malicious input in the customer_name parameter.
disclosure
Status do Exploit
EPSS
0.02% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-32712 is to upgrade to version 3.4.3 of the Open Source Point of Sale application. If immediate upgrading is not possible due to compatibility issues or downtime constraints, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the customername field. Specifically, the WAF should be configured to sanitize HTML entities and block JavaScript execution. Additionally, review and restrict access permissions to the customer management functionality to limit the number of potential attackers. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the customername field and verifying that it is not executed.
Actualice a la versión 3.4.3 o superior para mitigar la vulnerabilidad de XSS. La actualización corrige la configuración incorrecta del escape en la columna customer_name, evitando la inyección de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-32712 is a Stored Cross-Site Scripting (XSS) vulnerability in Open Source Point of Sale versions 1.0.0 through 3.4.2, allowing attackers to inject JavaScript code via the customer_name field.
You are affected if you are using Open Source Point of Sale versions 1.0.0 to 3.4.2. Upgrade to 3.4.3 to mitigate the risk.
Upgrade to version 3.4.3 of the Open Source Point of Sale application. As a temporary workaround, implement a WAF rule to sanitize HTML entities and block JavaScript execution.
There is currently no indication of active exploitation campaigns targeting this specific vulnerability.
Refer to the Open Source Point of Sale project's official channels and CodeIgniter's security advisories for updates and official guidance.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.