mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-03-12 04:02:19 -04:00
a229bf6031
1. Stock Location XSS (GHSA-7hg5-68rx-xpmg):
- Stock location names were rendered unescaped in employee form
- Malicious stock locations could contain XSS payloads that execute
when viewing employee permissions
- Fixed by adding esc() to permission display in employees/form.php
2. Customer Name XSS (GHSA-hcfr-9hfv-mcwp):
- Bootstrap-table columns had escape disabled for customer_name,
email, phone_number, and note fields
- Malicious customer names could execute XSS in Daily Sales view
- Fixed by removing user-controlled fields from escape exception list
- Only 'edit', 'messages', and 'item_pic' remain in exception list
(these contain safe server-generated HTML)
Both vulnerabilities allow authenticated attackers with basic permissions
to inject JavaScript that executes in admin/other user sessions.