Lucene search
K
OpensourceposOpen Source Point Of Sale

19 matches found

CVE
CVE
added 2022/07/28 7:38 p.m.74 views

CVE-2022-34578

CVE-2022-34578 affects Open Source Point of Sale (OSPOS) v3.3.7. Reported as an arbitrary file upload vulnerability via the Update Branding Settings page; root cause not detailed in the provided sources beyond the upload flaw. No explicit exploit in the supplied documents; no patch version or wor...

7.2CVSS7.1AI score0.00993EPSS
CVE
CVE
added 2026/02/20 12:0 a.m.26 views

CVE-2026-26746

OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) in Sales.php::getInvoice(), allowing an attacker to read arbitrary server files via Invoice Type manipulation. This may be chained with file upload to achieve Remote Code Execution (RCE). No exploit details are provided in these documents ...

8.8CVSS6AI score0.00575EPSS
CVE
CVE
added 2026/01/13 9:25 p.m.23 views

CVE-2025-68658

CVE-2025-68658 affects Open Source Point of Sale (opensourcepos) 3.4.0–3.4.1. It is a stored XSS in the Configuration → Information workflow: an authenticated user with the permission “Configuration: Change OSPOS's Configuration” can inject JavaScript into the Company Name field; the payload is s...

4.8CVSS5.5AI score0.0018EPSS
Web
CVE
CVE
added 2025/12/17 10:16 p.m.21 views

CVE-2025-68147

Summary (CVE-2025-68147 for OpenSourcePOS) OpenSourcePOS (CodeIgniter PHP app) versions 3.4.0–3.4.1 contain a stored XSS in the “Return Policy” field of the Store Configuration. The flaw stems from insufficient sanitization when saving/displaying the policy, allowing an attacker with configuratio...

8.1CVSS5AI score0.00309EPSS
Web
CVE
CVE
added 2025/12/17 10:20 p.m.20 views

CVE-2025-68434

CVE-2025-68434 affects OpenSourcePOS 3.4.0–3.4.1, where CSRF protection was explicitly disabled in the global filters, allowing a logged-in administrator’s browser to be coerced into making state-changing POST requests and silently create a new Administrator account. The issue is fixed in 3.4.2 b...

8.8CVSS6.7AI score0.00236EPSS
CVE
CVE
added 2025/11/18 12:0 a.m.19 views

CVE-2025-63800

Open Source Point of Sale 3.4.1 contains a flaw in the password change endpoint: if an authenticated user omits or leaves the password and repeat_password fields empty, the server may treat it as a valid request and set the user’s password to an empty string. This lacks server-side validation and...

7.5CVSS6.5AI score0.00408EPSS
CVE
CVE
added 2026/03/20 2:14 a.m.17 views

CVE-2026-32888

CVE-2026-32888 affects Open Source Point of Sale (PHP, CodeIgniter). A SQL Injection exists in the Items search functionality when the custom attribute search feature (search_custom) is enabled: user input from the search GET parameter is interpolated directly into a HAVING clause without paramet...

8.8CVSS6.2AI score0.00316EPSS
CVE
CVE
added 2026/02/13 12:0 a.m.16 views

CVE-2025-70094

CVE-2025-70094 describes an XSS flaw in the OpenSourcePOS 3.4.1 Generate Item Barcode function. The vulnerability allows an attacker to inject crafted payloads into the Item Category parameter, enabling execution of arbitrary web scripts/HTML in the victim’s browser. The issue affects the Generat...

6.5CVSS5.5AI score0.00162EPSS
CVE
CVE
added 2026/04/07 7:49 p.m.15 views

CVE-2026-39380

Open Source Point of Sale (OSPOS) has a Stored XSS in the Stock Locations configuration. Before version 3.4.3, the stock_location input is not properly sanitized, allowing injected JavaScript to be stored in the database and executed when viewing the Employees interface. Affected product: OSPOS (...

5.4CVSS6AI score0.00162EPSS
CVE
CVE
added 2026/02/20 12:0 a.m.13 views

CVE-2026-26745

CVE-2026-26745 affects OpenSourcePOS 3.4.1. Affected component: the currency_symbol configuration field. The vulnerability is a second-order SQL Injection where input is stored and later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This c...

5.3CVSS6.1AI score0.00299EPSS
CVE
CVE
added 2026/04/07 8:37 p.m.13 views

CVE-2026-32712

Open Source Point of Sale (OSPOS) has a Stored XSS vulnerability in the Daily Sales page prior to version 3.4.3. The issue arises from the customer_name field being configured with escape: false in the bootstrap-table setup, causing customer names to render as raw HTML. With customer management p...

5.4CVSS6AI score0.00169EPSS
CVE
CVE
added 2026/03/27 12:30 a.m.13 views

CVE-2026-33730

Open Source Point of Sale (opensourcepos) is a PHP web app using CodeIgniter. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) allows an authenticated low-privilege user to access the password change functionality of other users (including administrators) by manipulating the emp...

6.5CVSS5.8AI score0.00277EPSS
CVE
CVE
added 2025/12/17 12:0 a.m.11 views

CVE-2025-66923

Open Source Point of Sale (OSPOS) v3.4.1 contains a Cross‑Site Scripting (XSS) vulnerability in the Create/Update Customer(s) flow, exploitable via the phone_number parameter. The issue can lead to arbitrary script/HTML execution in the browser, with CVSSv3.1 base score 7.2 (HIGH) and impact on c...

7.2CVSS5.5AI score0.00465EPSS
CVE
CVE
added 2025/12/17 12:0 a.m.11 views

CVE-2025-66924

CVE-2025-66924 (Open Source Point of Sale 3.4.1) : A Cross-site scripting (XSS) vulnerability exists in Create/Update Item Kit(s) that allows remote attackers to inject arbitrary script/HTML via the name parameter. The root cause is an unvalidated/unsanitized name input in item kit creation/updat...

6.1CVSS5.5AI score0.00217EPSS
CVE
CVE
added 2026/02/13 12:0 a.m.11 views

CVE-2025-70091

OpenSourcePOS v3.4.1 is affected by a cross-site scripting (XSS) vulnerability in the Customers function, enabling attackers to inject arbitrary scripts via the Phone Number parameter. Root cause: input validation in the Phone Number field appears insufficient across multiple sources. Impact stat...

6.5CVSS5.5AI score0.00162EPSS
CVE
CVE
added 2026/02/13 12:0 a.m.11 views

CVE-2025-70093

OpenSourcePOS v3.4.1 is affected by CVE-2025-70093, described as an arbitrary code execution vulnerability triggered by returning a crafted AJAX response. The available sources corroborate a high-severity issue (CVSS 7.4; network attack, no user interaction) affecting OpenSourcePOS 3.4.1. The doc...

7.4CVSS6AI score0.00342EPSS
CVE
CVE
added 2026/02/13 12:0 a.m.11 views

CVE-2025-70095

OpenSourcePOS v3.4.1 is affected by a cross-site scripting (XSS) vulnerability in the item management and sales invoice function. Multiple feeds corroborate that an attacker can inject a crafted payload to execute arbitrary web scripts or HTML. Some sources flag insufficient input validation as t...

6.5CVSS5.5AI score0.00162EPSS
CVE
CVE
added 2025/12/17 12:0 a.m.10 views

CVE-2025-66921

CVE-2025-66921 describes a Cross-site scripting (XSS) vulnerability in the Open Source Point of Sale (OSPOS) v3.4.1, specifically in the Create/Update Item(s) Module. The issue arises from improper handling of the name parameter, allowing remote attackers to inject arbitrary web script or HTML. M...

7.2CVSS5.5AI score0.00465EPSS
CVE
CVE
added 2026/02/12 12:0 a.m.9 views

CVE-2025-70092

OpenSourcePOS v3.4.1 is affected by a cross-site scripting (XSS) vulnerability in the Item Kits function. The issue allows an attacker to inject arbitrary web scripts or HTML by supplying a crafted payload into the Item Name parameter, due to insufficient input handling. Impact is described as XS...

5.5CVSS5.5AI score0.00196EPSS