CVE-2025-57204 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Stocky POS with Inventory Management & HRM (ui-lib) version 5.0. The vulnerability exists within the Products module, specifically in the product name parameter submitted via a POST request to the product-creation endpoint. Authenticated users can exploit this flaw by injecting malicious HTML or JavaScript payloads due to insufficient input sanitization and lack of proper output encoding. These payloads are stored persistently in the system and rendered unsanitized in subsequent views accessed by other users. When other users visit the affected product pages, the malicious scripts execute in their browsers, enabling attackers to hijack sessions, escalate privileges within the application, exfiltrate sensitive data, or even take over administrative accounts. The absence of a restrictive Content Security Policy (CSP) further increases the risk and ease of exploitation by allowing the injected scripts to run without additional browser restrictions. Although exploitation requires authentication, the impact is significant because it can lead to full compromise of user accounts and potentially the entire application environment. No CVSS score has been assigned yet, and no known exploits in the wild have been reported as of the publication date.

For European organizations using Stocky POS with Inventory Management & HRM (ui-lib) version 5.0, this vulnerability poses a serious threat to the confidentiality, integrity, and availability of their business-critical systems. POS systems often handle sensitive payment and customer data, so exploitation could lead to data breaches involving personal and financial information, violating GDPR and other data protection regulations. The ability to execute arbitrary JavaScript in other users' browsers can facilitate session hijacking and privilege escalation, potentially allowing attackers to manipulate inventory, alter HR records, or disrupt business operations. This could result in financial losses, reputational damage, regulatory penalties, and operational downtime. The lack of a restrictive CSP exacerbates the risk, making it easier for attackers to bypass browser security controls. Since the vulnerability requires authentication, insider threats or compromised user credentials increase the likelihood of exploitation. European organizations with integrated POS and HRM systems are particularly vulnerable to cascading impacts affecting multiple business functions.

To mitigate this vulnerability, organizations should immediately apply patches or updates provided by the vendor once available. In the absence of patches, implement strict input validation and output encoding on the product name parameter to prevent injection of malicious scripts. Employ a robust Content Security Policy (CSP) that restricts the execution of inline scripts and only allows trusted sources to load scripts, significantly reducing the risk of XSS exploitation. Conduct thorough code reviews and security testing focusing on all user input fields, especially those accessible to authenticated users. Limit user privileges to the minimum necessary to reduce the attack surface, and monitor logs for suspicious activities related to product creation or modification. Educate users about the risks of XSS and enforce strong authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access. Additionally, consider implementing Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the application.