CVE-2025-10065 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the itsourcecode POS Point of Sale System. The vulnerability resides in an unspecified function within the file /inventory/main/vendors/datatables/unit_testing/templates/dom_data_th.php. The issue arises from improper handling and sanitization of the 'scripts' argument, allowing an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although it does require user interaction (e.g., a user clicking a crafted link or visiting a malicious page). The CVSS 4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required. The impact primarily affects the integrity of the victim's session or data through script injection, with limited impact on confidentiality and availability. The vulnerability does not affect system confidentiality or availability directly but can lead to session hijacking, defacement, or redirection to malicious sites. Although no public exploit in the wild has been reported yet, the exploit code has been made publicly available, increasing the risk of exploitation. The vulnerability affects a POS system, which is critical infrastructure in retail and hospitality sectors, potentially impacting transaction integrity and customer data security.

For European organizations, especially those in retail, hospitality, and other sectors relying on the itsourcecode POS system version 1.0, this vulnerability poses a significant risk. Exploitation could lead to malicious script execution in the context of the POS system's web interface, potentially enabling attackers to steal session tokens, manipulate transaction data, or redirect users to phishing sites. This could result in financial fraud, loss of customer trust, and regulatory non-compliance, particularly under GDPR due to potential exposure of personal data. The remote exploitability without authentication increases the threat surface, especially for organizations with POS systems exposed to internal networks or the internet. While the vulnerability does not directly compromise system availability, the integrity and trustworthiness of transaction data could be undermined, leading to operational disruptions and reputational damage.

Organizations using itsourcecode POS Point of Sale System version 1.0 should immediately assess their exposure to this vulnerability. Specific mitigation steps include: 1) Applying any available patches or updates from the vendor; if no patch is available, consider upgrading to a newer, unaffected version. 2) Implement strict input validation and output encoding on the affected parameter to prevent script injection. 3) Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the vulnerable endpoint. 4) Restrict access to the POS system's web interface to trusted internal networks and enforce network segmentation to limit exposure. 5) Educate staff to recognize phishing attempts that could leverage this vulnerability. 6) Monitor logs for suspicious activity related to the vulnerable script or unusual user behavior. 7) Consider deploying Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks. These measures go beyond generic advice by focusing on the specific vulnerable component and the operational context of POS systems.