Plataforma
codeigniter
Componente
opensourcepos
Corregido en
3.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Open Source Point of Sale versions 3.4.0 through 3.4.1. This flaw arises from the explicit disabling of CSRF protection, allowing unauthorized actions to be performed on behalf of authenticated administrators. Successful exploitation could lead to unauthorized modifications of system configurations or sensitive data. The vulnerability is resolved in version 3.4.2.
The core of this vulnerability lies in the deliberate disabling of CSRF protection within the Open Source Point of Sale application. This means that an attacker can craft a malicious web page that, when visited by a logged-in administrator, will automatically trigger actions as if the administrator initiated them. For example, an attacker could modify product prices, create fraudulent users with administrative privileges, or even delete critical data. The blast radius is significant, as a single compromised administrator account can grant an attacker control over the entire point-of-sale system. This vulnerability shares similarities with other CSRF exploits where inadequate input validation and authentication bypasses allow for unauthorized actions.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation given the explicit disabling of CSRF protection suggests a medium probability of exploitation. The vulnerability was publicly disclosed on December 17, 2025, and the vendor has released a patch.
Organizations utilizing Open Source Point of Sale versions 3.4.0 through 3.4.1, particularly those with limited security expertise or those relying on default configurations, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable, as a compromise of one user's account could potentially impact others.
• linux / server: Monitor access logs for unusual POST requests originating from external sources. Look for patterns indicative of CSRF attacks, such as requests targeting administrative endpoints with unexpected parameters.
grep -i 'admin/.*POST.*' /var/log/apache2/access.log• generic web: Use curl to test endpoints that require administrative privileges. Attempt to craft requests that modify data or perform actions without proper CSRF tokens.
curl -X POST -d 'param1=value1¶m2=value2' https://your-pos-instance/admin/endpoint• wordpress / composer / npm: While this vulnerability is not directly within WordPress, Composer, or npm, ensure that any plugins or modules interacting with the Open Source Point of Sale system are up-to-date and properly secured to prevent potential supply chain attacks.
disclosure
patch
Estado del Exploit
EPSS
0.13% (32% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-68434 is to immediately upgrade Open Source Point of Sale to version 3.4.2 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, review and restrict administrator access privileges to minimize the potential impact of a successful attack. Regularly audit user permissions and disable unnecessary accounts. While not a direct fix, enforcing strong password policies and multi-factor authentication can reduce the likelihood of an administrator account being compromised in the first place.
Actualice Open Source Point of Sale a la versión 3.4.2 o superior. Esta versión corrige la vulnerabilidad CSRF al habilitar nuevamente el filtro CSRF en la configuración de la aplicación. Si no puede actualizar inmediatamente, puede habilitar manualmente el filtro CSRF en `app/Config/Filters.php` descomentando la línea de protección, aunque esto puede causar problemas en el módulo de ventas.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-68434 is a Cross-Site Request Forgery (CSRF) vulnerability in Open Source Point of Sale versions 3.4.0–<3.4.2 where CSRF protection is explicitly disabled, allowing attackers to perform actions as an administrator.
You are affected if you are running Open Source Point of Sale versions 3.4.0 through 3.4.1. Verify your version and upgrade immediately.
Upgrade to version 3.4.2 or later. As a temporary workaround, implement a WAF with CSRF protection rules.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a medium probability of exploitation.
Refer to the official Open Source Point of Sale security advisory for detailed information and updates: [https://opensourcepos.org/security/advisories/](https://opensourcepos.org/security/advisories/)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.