CVE-2025-66923 is a Cross-site Scripting (XSS) vulnerability identified in Open Source Point of Sale (POS) version 3.4.1, specifically within the Create/Update Customer(s) feature. The vulnerability arises due to insufficient sanitization of the phone_number parameter, allowing remote attackers with authenticated access to inject arbitrary HTML or JavaScript code. This injection can lead to the execution of malicious scripts in the context of the victim's browser, potentially enabling session hijacking, credential theft, or unauthorized actions within the POS application. The CVSS v3.1 score of 7.2 reflects a high severity, with an attack vector of network (remote), low attack complexity, but requiring high privileges and no user interaction. The vulnerability affects confidentiality, integrity, and availability, as attackers can manipulate customer data or disrupt POS operations. Although no known exploits are currently reported in the wild, the lack of available patches increases the urgency for mitigation. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-20 (Improper Input Validation), indicating fundamental input validation failures. Given the widespread use of open-source POS systems in retail environments, this vulnerability poses a significant risk to organizations relying on this software for customer management and transaction processing.

For European organizations, especially those in the retail sector using Open Source POS v3.4.1, this vulnerability can lead to severe consequences. Attackers exploiting this XSS flaw can execute malicious scripts that compromise customer data confidentiality, including personal and payment information. Integrity of customer records and transaction data can be manipulated, leading to fraudulent activities or financial losses. Availability may also be impacted if attackers disrupt POS operations or inject scripts that cause application failures. The requirement for high privileges limits exploitation to insiders or attackers who have already compromised credentials, but this does not reduce the risk significantly, as insider threats and credential theft are common. The vulnerability could also be leveraged as a pivot point for broader network compromise within retail environments. European data protection regulations such as GDPR impose strict requirements on data security; exploitation of this vulnerability could result in regulatory penalties and reputational damage.

1. Implement strict input validation and sanitization on the phone_number parameter to ensure no executable code can be injected. 2. Apply proper output encoding/escaping on all user-supplied data before rendering it in the web interface. 3. Restrict access to the Create/Update Customer(s) functionality to only trusted and necessary personnel, enforcing the principle of least privilege. 4. Monitor logs for unusual activity related to customer data updates or injection attempts. 5. Deploy Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the vulnerable parameter. 6. Conduct regular security audits and code reviews focusing on input handling in the POS application. 7. Engage with the Open Source POS community or vendor for patches or updates addressing this vulnerability. 8. Educate staff about the risks of credential compromise and enforce strong authentication mechanisms to reduce the risk of privilege escalation. 9. Consider isolating the POS system network segment to limit lateral movement in case of compromise.