← Back to CVEs
CVE-2025-60503
HIGH8.7
Description
A cross-site scripting (XSS) vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log panel page in the 'reference No.' field. This flaw allows an authenticated attacker to execute arbitrary JavaScript in the context of an administrator's browser session, which could lead to session hijacking or other malicious actions.
CVE Details
CVSS v3.1 Score8.7
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionREQUIRED
Published11/3/2025
Last Modified2/3/2026
Sourcenvd
Honeypot Sightings0
Affected Products
ultimatefosters:ultimatepos
Weaknesses (CWE)
CWE-79
References
https://github.com/H4zaz/CVE-2025-60503(cve@mitre.org)
https://ultimatefosters.com(cve@mitre.org)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.