cvedb.io
CVE-2025-60503
HIGH · CVSS 8.7
EPSS exploitation probability: 0%
Published 2025-11-03T16:15:35.333 · Last modified 2026-06-17T09:49:47.903

Summary

A cross-site scripting (XSS) vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log panel page in the 'reference No.' field. This flaw allows an authenticated attacker to execute arbitrary JavaScript in the context of an administrator's browser session, which could lead to session hijacking or other malicious actions.

Affected products

ultimatefosters — ultimatepos

Does this affect you?

Add your gear to cvedb and we'll alert you only when ultimatefosters ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.