Description
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed.
Published: 2026-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Password Change
Action: Immediate Patch
AI Analysis

Impact

An insecure direct object reference flaw lets a logged‐in user with low privileges change the password of another account by altering the employee_id field in the request. The application does not verify that the current user owns the target employee record, so the vulnerable code permits modifying another user’s credentials. This weakness allows the attacker to take over that account if the password change succeeds.

Affected Systems

The affected system is the Open Source Point of Sale web application written in PHP and built on the CodeIgniter framework. Versions earlier than 3.4.2 contain the flaw. Version 3.4.2 and later add authorization checks that restrict password changes to the owning employee.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Exploitation requires an authenticated session and the ability to manipulate the employee_id parameter, typically through a URL or form submission; the likely attack vector is via the web interface. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so while the probability of active exploitation is uncertain, the impact if successful is significant.

Generated by OpenCVE AI on March 27, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Open Source Point of Sale version 3.4.2 or newer to enforce proper authorization on password changes.

Generated by OpenCVE AI on March 27, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensourcepos
Opensourcepos opensourcepos
Vendors & Products Opensourcepos
Opensourcepos opensourcepos

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed.
Title Open Source Point of Sale has an IDOR in Password Change (Home)
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Opensourcepos Opensourcepos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T00:30:02.069Z

Reserved: 2026-03-23T17:34:57.560Z

Link: CVE-2026-33730

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T01:16:20.577

Modified: 2026-03-27T01:16:20.577

Link: CVE-2026-33730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:31Z

Weaknesses