CVE-2025-10566 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System, specifically affecting the /index.php?page=users endpoint. The vulnerability arises from improper sanitization of the 'page' parameter, allowing an attacker to inject malicious scripts. This flaw can be exploited remotely without requiring authentication, and user interaction is necessary to trigger the payload, typically through a crafted URL or link. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user authentication needed (AT:N). However, user interaction (UI:P) is required to execute the malicious script. The impact primarily affects the integrity of the victim's browser session, potentially leading to session hijacking, defacement, or redirection to malicious sites. Confidentiality impact is none, and availability is not affected. The vulnerability does not impact the server-side data directly but can be leveraged to target users of the system, such as employees or administrators accessing the affected page. Although no public exploits are currently known in the wild, the exploit code is publicly available, increasing the risk of exploitation. The lack of patches or mitigation guidance from the vendor further elevates the threat level for organizations using this system.

For European organizations using the Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a risk primarily to the users accessing the affected web interface. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users, potentially compromising sensitive sales and inventory data indirectly. This could disrupt business operations, lead to financial losses, and damage customer trust. Additionally, attackers could use the XSS vulnerability as a foothold to conduct further attacks within the network or to distribute malware. Given that grocery and retail sectors are critical infrastructure components in Europe, any compromise could have cascading effects on supply chains and consumer safety. The medium severity rating suggests that while the vulnerability is not immediately critical, it should not be ignored, especially in environments where the system is exposed to the internet or used by multiple users with varying privilege levels.

1. Immediate mitigation should include implementing strict input validation and output encoding on the 'page' parameter to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Restrict access to the affected endpoint (/index.php?page=users) via network controls such as firewalls or VPNs to limit exposure. 4. Educate users about the risks of clicking on suspicious links and encourage the use of updated browsers with built-in XSS protections. 5. Monitor web server logs for unusual requests targeting the 'page' parameter to detect potential exploitation attempts. 6. Engage with the vendor to obtain patches or updates; if unavailable, consider upgrading to a more secure inventory management solution. 7. Implement web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting this parameter. 8. Regularly review and update security policies to include vulnerability management for third-party applications.