Plattform
codeigniter
Komponente
opensourcepos
Behoben in
3.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Open Source Point of Sale versions 3.4.0 through 3.4.1. This flaw arises from the explicit disabling of CSRF protection, allowing unauthorized actions to be performed on behalf of authenticated administrators. Successful exploitation could lead to unauthorized modifications of system configurations or sensitive data. The vulnerability is resolved in version 3.4.2.
The core of this vulnerability lies in the deliberate disabling of CSRF protection within the Open Source Point of Sale application. This means that an attacker can craft a malicious web page that, when visited by a logged-in administrator, will automatically trigger actions as if the administrator initiated them. For example, an attacker could modify product prices, create fraudulent users with administrative privileges, or even delete critical data. The blast radius is significant, as a single compromised administrator account can grant an attacker control over the entire point-of-sale system. This vulnerability shares similarities with other CSRF exploits where inadequate input validation and authentication bypasses allow for unauthorized actions.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation given the explicit disabling of CSRF protection suggests a medium probability of exploitation. The vulnerability was publicly disclosed on December 17, 2025, and the vendor has released a patch.
Organizations utilizing Open Source Point of Sale versions 3.4.0 through 3.4.1, particularly those with limited security expertise or those relying on default configurations, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable, as a compromise of one user's account could potentially impact others.
• linux / server: Monitor access logs for unusual POST requests originating from external sources. Look for patterns indicative of CSRF attacks, such as requests targeting administrative endpoints with unexpected parameters.
grep -i 'admin/.*POST.*' /var/log/apache2/access.log• generic web: Use curl to test endpoints that require administrative privileges. Attempt to craft requests that modify data or perform actions without proper CSRF tokens.
curl -X POST -d 'param1=value1¶m2=value2' https://your-pos-instance/admin/endpoint• wordpress / composer / npm: While this vulnerability is not directly within WordPress, Composer, or npm, ensure that any plugins or modules interacting with the Open Source Point of Sale system are up-to-date and properly secured to prevent potential supply chain attacks.
disclosure
patch
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68434 is to immediately upgrade Open Source Point of Sale to version 3.4.2 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, review and restrict administrator access privileges to minimize the potential impact of a successful attack. Regularly audit user permissions and disable unnecessary accounts. While not a direct fix, enforcing strong password policies and multi-factor authentication can reduce the likelihood of an administrator account being compromised in the first place.
Aktualisieren Sie Open Source Point of Sale auf Version 3.4.2 oder höher. Diese Version behebt die CSRF-Schwachstelle, indem der CSRF-Filter in der Anwendungskonfiguration wieder aktiviert wird. Wenn Sie nicht sofort aktualisieren können, können Sie den CSRF-Filter manuell in `app/Config/Filters.php` aktivieren, indem Sie die Schutzlinie auskommentieren, obwohl dies Probleme im Verkaufsmodul verursachen kann.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68434 is a Cross-Site Request Forgery (CSRF) vulnerability in Open Source Point of Sale versions 3.4.0–<3.4.2 where CSRF protection is explicitly disabled, allowing attackers to perform actions as an administrator.
You are affected if you are running Open Source Point of Sale versions 3.4.0 through 3.4.1. Verify your version and upgrade immediately.
Upgrade to version 3.4.2 or later. As a temporary workaround, implement a WAF with CSRF protection rules.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a medium probability of exploitation.
Refer to the official Open Source Point of Sale security advisory for detailed information and updates: [https://opensourcepos.org/security/advisories/](https://opensourcepos.org/security/advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.