Venukamatchi

**Name of the Vulnerable Software and Affected Versions** Open Source Point of Sale (opensourcepos) versions prior to 3.4.2 **Description** The application is a web-based point of sale system written in PHP using the CodeIgniter framework. A security issue exists where an authenticated user with limited privileges can access the password change functionality for other users, including administrators. This is possible by manipulating the `employee id` parameter without proper authorization checks or verification of object ownership. The application does not verify that the current user has permission to modify the account associated with the specified `employee id`. Version 3.4.2 introduces object-level authorization checks to validate ownership of the `employee id` being accessed. **Recommendations** Versions prior to 3.4.2 should be updated to version 3.4.2 or later.