CVE-2025-68434

Name of the Vulnerable Software and Affected Versions Open Source Point of Sale versions 3.4.0 through 3.4.1

Description Open Source Point of Sale is a web based point of sale application written in PHP using the CodeIgniter framework. Versions 3.4.0 through 3.4.1 have a Cross-Site Request Forgery (CSRF) issue because the CSRF protection mechanism was explicitly disabled. This allows an unauthenticated remote attacker to create a malicious web page that, when visited by a logged-in administrator, forces the browser to send unauthorized requests to the application. A successful exploit allows the attacker to create a new Administrator account with full privileges, leading to a complete system takeover. The vulnerability is related to the configuration of the CSRF filter in app/Config/Filters.php.

Recommendations Versions 3.4.0 and 3.4.1 should be updated to version 3.4.2. As a temporary workaround, administrators can manually re-enable the CSRF filter in app/Config/Filters.php by uncommenting the protection line, but this is not recommended without applying the full patch due to potential functionality breakage in the Sales module.