CVE-2025-40724

Vulnerability

Overview

CVE-2025-40724 is a stored Cross-Site Scripting (XSS) vulnerability in the Pharmacy POS PHP Script, a solution for managing pharmacy operations. The root cause is insufficient sanitization of the u_medicine_name parameter in the /edit_medicine.php endpoint, allowing an attacker to inject arbitrary JavaScript code that is stored and later executed in the context of a victim's browser [1].

Exploitation

Prerequisites

An attacker must have low-privilege access (PR:L) to the application and trick a victim into visiting a crafted URL containing the malicious payload. The attack requires user interaction (UI:P) and can be launched over the network (AV:N) [1]. The stored script triggers when the victim accesses the affected page, executing the injected code.

Impact

Successful exploitation enables the attacker to steal sensitive user data, such as session cookies, or perform actions on behalf of the authenticated victim. This can lead to account takeover, data exfiltration, or unauthorized operations within the pharmacy management system [1].

Mitigation

The Pharmacy POS PHP Script team has released a fix in the latest software version. Users are strongly advised to update to the patched release to eliminate the vulnerability [1].