CVE-2025-10067 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the itsourcecode POS Point of Sale System. The vulnerability exists in an unspecified function within the file /inventory/main/vendors/datatables/unit_testing/templates/empty_table.php. Specifically, the vulnerability arises from improper sanitization or validation of user-supplied input in the 'scripts' argument, which can be manipulated by an attacker to inject malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript code in the context of the affected application without requiring authentication. The vulnerability is classified as reflected or stored XSS, with a CVSS 4.0 base score of 5.3 (medium severity). The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user authentication (AT:N), but does require some user interaction (UI:P). The impact on confidentiality is none, integrity is low, and availability is none, indicating that the primary risk is the execution of malicious scripts that could lead to session hijacking, defacement, or redirection to malicious sites. Although no known exploits are currently observed in the wild, the exploit code is publicly available, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been published yet. Given the role of POS systems in handling sensitive payment and inventory data, exploitation could facilitate further attacks such as theft of payment credentials or unauthorized transactions if combined with other vulnerabilities or social engineering.

For European organizations using the itsourcecode POS Point of Sale System version 1.0, this XSS vulnerability poses a moderate risk. While the direct impact is limited to script execution within the POS web interface, attackers could leverage this to steal session cookies, perform phishing attacks on employees, or manipulate displayed data. This could lead to unauthorized access to sensitive sales or inventory information, potentially resulting in financial losses or reputational damage. Retailers and hospitality businesses relying on this POS system may face disruptions or data integrity issues. Additionally, compliance with GDPR requires protection of personal and payment data; exploitation of this vulnerability could lead to data breaches triggering regulatory penalties. The remote exploitability and lack of authentication requirements increase the attack surface, especially for POS systems exposed to internal networks or accessible via web interfaces. However, the medium CVSS score reflects that the vulnerability alone does not allow full system compromise or direct data exfiltration without further chaining. Organizations should consider the potential for attackers to use this as an initial foothold or pivot point within their environment.

To mitigate this vulnerability, organizations should first verify if they are running itsourcecode POS Point of Sale System version 1.0 and restrict access to the affected web interface to trusted internal networks only. Implement web application firewalls (WAFs) with rules to detect and block typical XSS payloads targeting the 'scripts' parameter. Employ input validation and output encoding at the application level to sanitize user inputs, especially in the affected PHP template file. Since no official patches are currently available, consider applying temporary code-level mitigations such as disabling or restricting the vulnerable functionality if feasible. Conduct regular security assessments and penetration testing focused on POS systems to detect exploitation attempts. Educate staff to recognize phishing or social engineering attempts that could leverage this vulnerability. Monitor logs for unusual requests containing script tags or suspicious parameters. Plan for an upgrade or patch deployment from the vendor once available. Additionally, segment POS systems from other critical infrastructure to limit lateral movement in case of compromise.