PT-2025-47338 · Unknown · Open Source Point Of Sale
Omkaryepre
·
Published
2025-11-18
·
Updated
2025-11-19
·
CVE-2025-63800
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Open Source Point of Sale version 3.4.1
Description
The password change functionality has a flaw where a user can set an empty password due to a lack of server-side validation. Omitting or providing empty values for the
password and repeat password parameters in a password change request results in a successful response and an empty password being set. This bypasses authentication and potentially allows unauthorized access to user or administrative accounts. The vulnerable API endpoint is the password change endpoint.Recommendations
Apply a fix that enforces server-side validation to prevent setting an empty password.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open Source Point Of Sale