CVE-2025-10065 is a cross-site scripting (XSS) vulnerability identified in the itsourcecode POS Point of Sale System version 1.0. The vulnerability exists in an unspecified function within the file /inventory/main/vendors/datatables/unit_testing/templates/dom_data_th.php. The issue arises from improper sanitization or validation of the 'scripts' argument, which allows an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring any authentication, and user interaction is needed to trigger the malicious script execution (e.g., by a user viewing a crafted page). The CVSS 4.0 score is 5.3 (medium severity), reflecting that the attack vector is network-based with low attack complexity and no privileges required, but user interaction is necessary. The impact primarily affects the integrity and confidentiality of the affected system by enabling script injection, which could lead to session hijacking, defacement, or redirection to malicious sites. Availability impact is minimal. The exploit code has been publicly disclosed, increasing the risk of exploitation, although no known active exploits in the wild have been reported yet. The vulnerability affects only version 1.0 of the itsourcecode POS system, which is a specialized point of sale software used in retail environments. Given the POS context, exploitation could lead to theft of sensitive customer data or manipulation of transaction data if combined with other vulnerabilities or social engineering.

For European organizations, especially retailers and businesses using the itsourcecode POS system version 1.0, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the POS system's web interface, potentially leading to theft of payment or customer data, session hijacking of administrative users, or unauthorized manipulation of inventory or sales data. This could result in financial losses, reputational damage, and regulatory compliance issues under GDPR due to potential exposure of personal data. The remote exploitability and public availability of exploit code increase the urgency for mitigation. However, the requirement for user interaction (e.g., an employee clicking a malicious link or viewing a crafted page) somewhat limits the attack surface. Still, phishing or social engineering campaigns targeting employees could facilitate exploitation. The impact on availability is low, but integrity and confidentiality risks are significant in the retail context. Organizations relying on this POS system should prioritize addressing this vulnerability to prevent potential data breaches and operational disruptions.

1. Immediate mitigation should include applying any available patches or updates from itsourcecode vendor; if no patch is currently available, consider temporary workarounds such as disabling or restricting access to the vulnerable component (/inventory/main/vendors/datatables/unit_testing/templates/dom_data_th.php) or sanitizing inputs at the web server or application firewall level. 2. Implement strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the POS system's web interface. 3. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the vulnerable parameter. 4. Conduct employee awareness training to reduce the risk of social engineering attacks that could trigger the vulnerability. 5. Monitor logs and network traffic for suspicious activity related to the POS system, especially unusual requests to the vulnerable script or unexpected script execution. 6. If feasible, isolate the POS system network segment from the broader corporate network to limit lateral movement in case of compromise. 7. Plan for an upgrade or migration to a newer, patched version of the POS system or alternative software if the vendor does not provide timely fixes.