Description
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed.
Published: 2026-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via IDOR to change other users' passwords
Action: Immediate Patch
AI Analysis

Impact

An insecure direct object reference allows an authenticated low‑privileged user to manipulate the employee_id parameter on the password change page and modify the credentials of any other account, including administrators. Because the application does not verify ownership of the requested object, the attacker can change another user’s password and subsequently log in as that user, thereby gaining full control over the system. This breach compromises both confidentiality and integrity of the application and its data.

Affected Systems

The vulnerability exists in the Open Source Point of Sale web application made by opensourcepos. Versions released before 3.4.2 are affected; the 3.4.2 release adds object‑level authorization checks that prevent this exploit.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate level of severity, while the EPSS score of less than 1% suggests that active exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. It is inferred that the attack requires an authenticated user who knows or can guess a target employee_id; once the IDOR is used to change a password, the attacker can thereafter log in as the target. The likely attack vector is the web interface password change page and is limited to users with existing credentials.

Generated by OpenCVE AI on April 2, 2026 at 05:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open Source Point of Sale to version 3.4.2 or later to enforce object‑level authorization checks.
  • Verify that the new version is in use and that the password change endpoint denies access to users who do not own the employee_id.
  • If an upgrade is not immediately feasible, disable or block the password change functionality for low‑privileged accounts until the patch can be applied.
  • Monitor authentication logs for unusual password change attempts and investigate any suspicious activity.

Generated by OpenCVE AI on April 2, 2026 at 05:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos open Source Point Of Sale
CPEs cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*
Vendors & Products Opensourcepos open Source Point Of Sale

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos
Opensourcepos opensourcepos
Vendors & Products Opensourcepos
Opensourcepos opensourcepos

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed.
Title Open Source Point of Sale has an IDOR in Password Change (Home)
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Opensourcepos Open Source Point Of Sale Opensourcepos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:59:15.920Z

Reserved: 2026-03-23T17:34:57.560Z

Link: CVE-2026-33730

cve-icon Vulnrichment

Updated: 2026-03-27T13:26:18.610Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T01:16:20.577

Modified: 2026-04-01T15:05:18.343

Link: CVE-2026-33730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:52Z

Weaknesses