Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Open Source Point of Sale application exposes employee password change
CVE-2026-33730
Summary
An attacker with limited access can change other employees' passwords, including admin passwords. This is fixed in version 3.4.2. Update to the latest version to protect your system.
Original title
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vul...
Original description
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed.
nvd CVSS3.1
6.5
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 27 Mar 2026