CVE-2021-47908

Vulnerability

Overview

Ultimate POS 4.4, an ERP stock management and point-of-sale web application, contains a persistent cross-site scripting (XSS) vulnerability in the product name parameter. The root cause is improper neutralization of user-supplied input during web page generation, specifically within the product add and edit functions [1][3]. This allows an attacker to inject arbitrary script code that is stored on the server and later executed in the browser of any user viewing the affected product details.

Exploitation

Prerequisites

Exploitation requires authenticated access with moderator-level privileges, meaning an attacker must first obtain valid credentials for a user role that can add or edit products [1]. The attack vector is remote, and the user interaction required is low—a victim simply needs to view the page containing the injected product name. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) [3].

Impact

A successful attack enables the execution of arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information displayed within the application. Because the script is stored persistently, every user who accesses the compromised product listing is affected until the malicious input is removed.

Mitigation

Status

The vulnerability was publicly disclosed on October 25, 2021, and affects Ultimate POS version 4.4 [1]. As of the publication date of this CVE, no official patch has been confirmed. Users should upgrade to a newer version if available, or restrict moderator-level account access and sanitize product name inputs as a workaround.