# CVE-2025-67263 - Stored cross-site scripting (XSS) in Abacre Retail Point of Sale 14.0.0.396

Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, is persisted in the database.

The "Name" and "Surname" fields under the "Clients" tab are vulnerable to Stored Cross-Site Scripting (XSS).

<img width="1221" height="204" alt="Pasted image 20251028231040" src="https://github.com/user-attachments/assets/35512cad-0d0c-4574-84d7-b1a81268dc2c" />

By adding a simple payload such as `<script>alert("xss 1")</script>`, saving the user details in the database and then clicking 'Statement' the preview web page will trigger the XSS.

<img width="420" height="403" alt="Pasted image 20251028231234" src="https://github.com/user-attachments/assets/33b8c91d-2e2f-4fb2-90fa-6982a9559703" />

Since the payload gets stored in the database, it will be triggered every time that the 'Statement' button is clicked with the user selected.