CVE-2025-63800

High CVSS: 7.5

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts.

Vendor

Opensourcepos

Product

Open Source Point Of Sale

CWE

CWE-521

Yayın Tarihi

2025-11-18 16:15:46

Güncelleme

2025-12-19 16:51:22

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-521 Open Source Point Of Sale HIGH Opensourcepos 2025

Referanslar

https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-63800 https://github.com/opensourcepos/opensourcepos https://opensourcepos.org/

Benzer Kayıtlar

Medium

CVE-2026-33730

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter fram…

Medium

CVE-2026-26745

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration…

High

CVE-2026-26746

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An atta…

Medium

CVE-2025-70095

A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 all…

Medium

CVE-2025-70091

A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute…

High

CVE-2025-70093

An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.