{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33730", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.560Z", "datePublished": "2026-03-27T00:30:02.069Z", "dateUpdated": "2026-03-27T00:30:02.069Z"}, "containers": {"cna": {"title": "Open Source Point of Sale has an IDOR in Password Change (Home)", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch"}, {"name": "https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624"}], "affected": [{"vendor": "opensourcepos", "product": "opensourcepos", "versions": [{"version": "< 3.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:30:02.069Z"}, "descriptions": [{"lang": "en", "value": "Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed."}], "source": {"advisory": "GHSA-mcc2-8rp2-q6ch", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed."}], "id": "CVE-2026-33730", "lastModified": "2026-03-27T01:16:20.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:20.577", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624"}, {"source": "security-advisories@github.com", "url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "opensourcepos", "source": "cna", "vendor": "opensourcepos"}, "product": "opensourcepos", "vendor": "opensourcepos"}], "analysis": {"en": {"generated_at": "2026-03-27T06:51:09.847368+00:00", "value": {"mitigation_remediation": ["Upgrade to Open Source Point of Sale version 3.4.2 or newer to enforce proper authorization on password changes."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Password Change"}, "threat_synthesis": {"affected_systems": "The affected system is the Open Source Point of Sale web application written in PHP and built on the CodeIgniter framework. Versions earlier than 3.4.2 contain the flaw. Version 3.4.2 and later add authorization checks that restrict password changes to the owning employee.", "description_and_impact": "An insecure direct object reference flaw lets a logged\u2010in user with low privileges change the password of another account by altering the employee_id field in the request. The application does not verify that the current user owns the target employee record, so the vulnerable code permits modifying another user\u2019s credentials. This weakness allows the attacker to take over that account if the password change succeeds.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. Exploitation requires an authenticated session and the ability to manipulate the employee_id parameter, typically through a URL or form submission; the likely attack vector is via the web interface. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so while the probability of active exploitation is uncertain, the impact if successful is significant."}}}}, "created": "2026-03-27T08:31:09.530432+00:00", "updated": "2026-03-27T09:22:31.977843+00:00", "vendors": ["opensourcepos", "opensourcepos$PRODUCT$opensourcepos"]}