code-projects Point of Sales and Inventory Management System checkout.php cross site scripting
Description
Reflected XSS in Point of Sales and Inventory Management System 1.0 via the 'pt' parameter in /main/checkout.php allows attacker to steal admin cookies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Point of Sales and Inventory Management System 1.0 via the 'pt' parameter in /main/checkout.php allows attacker to steal admin cookies.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in code-projects Point of Sales and Inventory Management System version 1.0. The flaw resides in the file /main/checkout.php at line 103, where the pt parameter is retrieved from user input and echoed directly into the HTML output without proper sanitization or encoding [1]. This allows an attacker to inject arbitrary JavaScript code via the pt parameter.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the pt parameter and tricking an authenticated administrator into visiting it. No authentication is required to trigger the XSS; the attack is performed remotely. The reference provides a proof-of-concept URL: http://192.168.211.1/pisp/main/checkout.php?pt=">&invoice=RS-38223922&total=&totalprof=&cashier=Administrator [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the administrator's browser session. This can lead to theft of session cookies, enabling the attacker to impersonate the administrator and gain unauthorized access to the application's administrative functions. The impact is limited to the browser session of the victim, but can result in full compromise of the application's administrative interface.
Mitigation
As of the publication date (2023-12-22), no official patch or fixed version has been released by the vendor. The application appears to be unmaintained. Users should implement input validation and output encoding for all user-supplied data, particularly the pt parameter in /main/checkout.php. Additionally, deploying a Web Application Firewall (WAF) or Content Security Policy (CSP) can help mitigate exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output encoding of the `pt` parameter in checkout.php allows injected JavaScript to be echoed back to the browser."
Attack vector
An attacker crafts a URL containing a malicious `pt` parameter, such as `?pt=\"><ScRiPt>alert(1)</sCrIpT>`, and tricks a logged-in administrator into visiting it [ref_id=1]. The vulnerable code on line 103 of `/main/checkout.php` retrieves the `pt` value from user input and echoes it directly into the HTML without sanitization or encoding [ref_id=1]. Because the attack is reflected (the payload is not stored on the server), the victim must be lured to the crafted URL, but no authentication or special privileges are required to trigger the XSS [ref_id=1].
Affected code
The vulnerability is in `/main/checkout.php` at line 103, where the `pt` parameter is retrieved from user input and echoed directly into the front-end HTML without sanitization [ref_id=1].
What the fix does
No patch is published for this vulnerability. The advisory recommends that user-supplied input echoed into the page should be properly HTML-encoded or sanitized before output [ref_id=1]. Specifically, the `pt` parameter on line 103 of `/main/checkout.php` should be passed through a function like `htmlspecialchars()` in PHP to neutralize script tags and other HTML metacharacters [ref_id=1].
Preconditions
- networkAttacker must be able to send a crafted HTTP request to the server hosting the application.
- inputThe victim (typically an administrator) must visit the attacker-crafted URL while logged into the application.
Reproduction
1. Set up the Point of Sales and Inventory Management System and access it on local port 80. 2. Visit the following URL: `http://192.168.211.1/pisp/main/checkout.php?pt=\"><ScRiPt>alert(1)</sCrIpT>&invoice=RS-38223922&total=&totalprof=&cashier=Administrator` [ref_id=1]. 3. Observe that a JavaScript alert box appears, confirming the XSS vulnerability [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Glunko/vulnerability/blob/main/Point-of-Sales-And-Inventory-Management-System.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.