CVE-2025-57204 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Stocky POS with Inventory Management & HRM (ui-lib) version 5.0. The vulnerability exists within the Products module, specifically in the product name parameter submitted via a POST form during product creation. Due to insufficient input sanitization and lack of proper output encoding, malicious HTML or JavaScript payloads can be injected by an authenticated attacker. These payloads are stored persistently and rendered unsanitized in downstream views, causing arbitrary JavaScript execution in the browsers of other users who access the affected product pages. The absence of a restrictive Content Security Policy (CSP) further increases the risk and ease of exploitation. The attack requires the attacker to be authenticated and involves user interaction (victims accessing the compromised product pages). Potential consequences include session hijacking, privilege escalation within the application, data exfiltration, and administrative account takeover. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, and user interaction. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). No known exploits are currently reported in the wild, and no patches are publicly available yet.

For European organizations using Stocky POS with Inventory Management & HRM, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to sensitive business data, manipulation of inventory or HR records, and compromise of administrative accounts, potentially disrupting business operations and causing financial loss. Retailers and businesses relying on this POS system could face customer data exposure and reputational damage. The stored XSS nature means that multiple users can be affected once the malicious payload is injected, amplifying the impact. Given the POS system’s role in transaction processing and employee management, integrity and confidentiality breaches could have regulatory implications under GDPR, especially if personal data is exposed or manipulated. The lack of a restrictive CSP increases the likelihood of successful exploitation, making it easier for attackers to bypass browser security controls. Although no active exploits are known, the medium CVSS score and the potential for privilege escalation warrant timely attention.

1. Immediate mitigation should focus on input validation and output encoding: Implement strict server-side input sanitization on the product name parameter to neutralize HTML and JavaScript code before storage. 2. Apply context-aware output encoding when rendering product names in the UI to prevent script execution. 3. Introduce or strengthen Content Security Policy (CSP) headers to restrict the execution of inline scripts and loading of untrusted resources, significantly reducing XSS exploitability. 4. Enforce the principle of least privilege for user roles to limit the ability of authenticated users to inject malicious content. 5. Conduct thorough code reviews and security testing of the affected module to identify and remediate similar vulnerabilities. 6. Monitor logs for suspicious POST requests to the product-creation endpoint and unusual user activity. 7. Educate users and administrators about the risks of XSS and encourage cautious handling of product data inputs. 8. Coordinate with the vendor for official patches or updates and apply them promptly once available. 9. Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads as a temporary protective measure.