CVE-2025-10064 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the itsourcecode POS Point of Sale System. The vulnerability arises from improper handling of the 'scripts' argument within the file /inventory/main/vendors/datatables/unit_testing/templates/dom_data_two_headers.php. This flaw allows an attacker to inject malicious scripts remotely without requiring authentication or privileges. When exploited, the injected scripts can execute in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity and no privileges required. However, user interaction is necessary for the malicious script to execute, such as the victim visiting a crafted URL or interacting with a compromised interface. The vulnerability does not impact confidentiality directly but can lead to limited integrity and availability issues through script execution. No patches or fixes have been published yet, and no known exploits are currently observed in the wild, although a public exploit has been released, increasing the risk of exploitation.

For European organizations using the itsourcecode POS Point of Sale System version 1.0, this vulnerability poses a tangible risk to the security of their retail or service operations. POS systems handle sensitive transaction data and customer information, so exploitation could lead to theft of payment credentials or manipulation of transaction data. While the XSS vulnerability itself does not directly compromise backend systems, it can be leveraged as a stepping stone for phishing attacks, session hijacking, or delivering further malware payloads. This could result in financial losses, reputational damage, and regulatory compliance issues under GDPR due to potential exposure of personal data. The need for user interaction limits the ease of exploitation but does not eliminate risk, especially in environments where employees or customers routinely interact with the POS interface. The lack of an official patch increases the urgency for organizations to implement compensating controls to mitigate potential attacks.

1. Immediate mitigation should include implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the vulnerable parameter. 2. Restrict access to the POS management interfaces to trusted networks and authenticated users only, reducing exposure to remote attackers. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the POS web interface. 4. Conduct user awareness training to recognize suspicious URLs or unexpected prompts related to POS systems. 5. Monitor logs and network traffic for unusual activities indicative of attempted XSS exploitation. 6. Engage with the vendor to obtain patches or updates and plan for prompt deployment once available. 7. If feasible, isolate the POS system network segment to limit lateral movement in case of compromise. 8. Review and sanitize all user inputs and parameters in the POS system codebase as a long-term remediation step.