CVE-2025-66923 is a cross-site scripting (XSS) vulnerability identified in Open Source Point of Sale (POS) version 3.4.1, specifically in the Create/Update Customer(s) feature. The vulnerability arises because the phone_number parameter does not properly sanitize or encode user-supplied input, allowing attackers to inject arbitrary HTML or JavaScript code. When a victim accesses a page that processes or displays this malicious input, the injected script executes in the victim's browser context. This can lead to session hijacking, credential theft, unauthorized actions on behalf of the user, or delivery of further malware. The vulnerability is remotely exploitable without authentication, increasing its risk profile. Although no known exploits have been reported in the wild, the lack of patches or mitigations at this time leaves systems exposed. The vulnerability affects the confidentiality and integrity of data processed by the POS system and can disrupt availability if leveraged for further attacks. The absence of a CVSS score suggests the need for a severity assessment based on impact and exploitability factors.

For European organizations, particularly those in retail and hospitality sectors relying on Open Source POS v3.4.1, this XSS vulnerability poses a significant risk. Exploitation could lead to theft of customer data, including personally identifiable information (PII), and compromise of employee or administrative sessions. This may result in financial fraud, reputational damage, and regulatory non-compliance under GDPR due to data breaches. Additionally, attackers could use the vulnerability as a foothold to escalate attacks within the network or distribute malware. The impact extends beyond individual businesses to their customers and partners, potentially affecting trust and operational continuity. Given the widespread use of open source POS solutions in small to medium enterprises across Europe, the vulnerability could have broad implications if not addressed promptly.

Organizations should immediately implement strict input validation and output encoding on the phone_number parameter to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor web application logs for suspicious input patterns targeting the phone_number field. Restrict access to the Create/Update Customer(s) functionality to trusted users and networks where possible. Engage with the Open Source POS community or vendor to obtain patches or updates addressing this vulnerability as soon as they are released. Conduct security awareness training for staff to recognize phishing or social engineering attempts that might leverage this vulnerability. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this parameter. Regularly audit and test the POS environment for similar injection flaws to ensure comprehensive protection.