{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33730", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.560Z", "datePublished": "2026-03-27T00:30:02.069Z", "dateUpdated": "2026-03-27T19:59:15.920Z"}, "containers": {"cna": {"title": "Open Source Point of Sale has an IDOR in Password Change (Home)", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch"}, {"name": "https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624"}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"version": "< 3.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:30:02.069Z"}, "descriptions": [{"lang": "en", "value": "Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed."}], "source": {"advisory": "GHSA-mcc2-8rp2-q6ch", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:26:14.486059Z", "id": "CVE-2026-33730", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:59:15.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33730", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:26:14.486059Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:26:18.610Z"}}], "cna": {"title": "Open Source Point of Sale has an IDOR in Password Change (Home)", "source": {"advisory": "GHSA-mcc2-8rp2-q6ch", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"status": "affected", "version": "< 3.4.2"}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch", "name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624", "name": "https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:30:02.069Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33730", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:59:15.920Z", "dateReserved": "2026-03-23T17:34:57.560Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T00:30:02.069Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*", "matchCriteriaId": "401D867E-4CA1-48F9-9C5D-492BCAAC8106", "versionEndExcluding": "3.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed."}, {"lang": "es", "value": "Open Source Point of Sale (opensourcepos) es una aplicaci\u00f3n de punto de venta basada en la web escrita en PHP utilizando el framework CodeIgniter. Antes de la versi\u00f3n 3.4.2, una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) permite a un usuario autenticado con bajos privilegios acceder a la funcionalidad de cambio de contrase\u00f1a de otros usuarios, incluidos los administradores, manipulando el par\u00e1metro 'employee_id'. La aplicaci\u00f3n no verifica la propiedad del objeto ni aplica comprobaciones de autorizaci\u00f3n. La versi\u00f3n 3.4.2 a\u00f1ade comprobaciones de autorizaci\u00f3n a nivel de objeto para validar que el usuario actual es propietario del 'employee_id' al que se accede."}], "id": "CVE-2026-33730", "lastModified": "2026-04-01T15:05:18.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:20.577", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "opensourcepos", "source": "cna", "vendor": "opensourcepos"}, "product": "opensourcepos", "vendor": "opensourcepos"}], "analysis": {"en": {"generated_at": "2026-04-02T05:16:49.531994+00:00", "value": {"mitigation_remediation": ["Upgrade Open Source Point of Sale to version 3.4.2 or later to enforce object\u2011level authorization checks.", "Verify that the new version is in use and that the password change endpoint denies access to users who do not own the employee_id.", "If an upgrade is not immediately feasible, disable or block the password change functionality for low\u2011privileged accounts until the patch can be applied.", "Monitor authentication logs for unusual password change attempts and investigate any suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via IDOR to change other users' passwords"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Open Source Point of Sale web application made by opensourcepos. Versions released before 3.4.2 are affected; the 3.4.2 release adds object\u2011level authorization checks that prevent this exploit.", "description_and_impact": "An insecure direct object reference allows an authenticated low\u2011privileged user to manipulate the employee_id parameter on the password change page and modify the credentials of any other account, including administrators. Because the application does not verify ownership of the requested object, the attacker can change another user\u2019s password and subsequently log in as that user, thereby gaining full control over the system. This breach compromises both confidentiality and integrity of the application and its data.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate level of severity, while the EPSS score of less than 1% suggests that active exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. It is inferred that the attack requires an authenticated user who knows or can guess a target employee_id; once the IDOR is used to change a password, the attacker can thereafter log in as the target. The likely attack vector is the web interface password change page and is limited to users with existing credentials."}}}}, "created": "2026-03-27T08:31:09.530432+00:00", "updated": "2026-04-02T07:55:52.901477+00:00", "vendors": ["opensourcepos", "opensourcepos$PRODUCT$opensourcepos"]}