CVE-2026-33730

Medium CVSS: 6.5

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed.

Vendor

Opensourcepos

Product

Open Source Point Of Sale

CWE

CWE-639

Yayın Tarihi

2026-03-27 01:16:20

Güncelleme

2026-04-01 15:05:18

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-639 Open Source Point Of Sale MEDIUM Opensourcepos 2026

Referanslar

https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624 https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch

Benzer Kayıtlar

Medium

CVE-2026-26745

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration…

High

CVE-2026-26746

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An atta…

Medium

CVE-2025-70095

A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 all…

Medium

CVE-2025-70091

A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute…

High

CVE-2025-70093

An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response.

Medium

CVE-2025-70094

A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attacker…