CVE-2025-40980 Information

Description

A Stored Cross Site Scripting vulnerability has been found in UltimatePOS by UltimateFosters. This vulnerability is due to the lack of proper validation of user inputs via ‘/products/<PRODUCT_ID>/edit’ affecting to ‘name’ parameter via POST. The vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her session cookies details.

Reference

https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-ultimatepos

Related CNNVD

CNNVD-202507-3882 (Published: 2025-07-31)