CVE-2025-66921 - Vulnerability Details - OpenCVE

A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md
https://github.com/opensourcepos/opensourcepos

History

Wed, 17 Dec 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description		A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.
References		https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md https://github.com/opensourcepos/opensourcepos

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-12-17T00:00:00.000Z

Updated: 2025-12-17T18:48:16.632Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-66921

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-12-17T17:15:50.827

Modified: 2025-12-17T17:15:50.827

Link: CVE-2025-66921

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-66921", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-12-17T18:48:16.632Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2025-12-17T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-17T16:53:50.758Z"}, "descriptions": [{"lang": "en", "value": "A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the \"name\" parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos"}, {"url": "https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "references": [{"url": "https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T18:25:13.806464Z", "id": "CVE-2025-66921", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T18:48:16.632Z"}}]}, "dataVersion": "5.2"}