Plateforme
codeigniter
Composant
opensourcepos
Corrigé dans
3.4.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Open Source Point of Sale versions 3.4.0 through 3.4.1. This flaw arises from the explicit disabling of CSRF protection, allowing unauthorized actions to be performed on behalf of authenticated administrators. Successful exploitation could lead to unauthorized modifications of system configurations or sensitive data. The vulnerability is resolved in version 3.4.2.
The core of this vulnerability lies in the deliberate disabling of CSRF protection within the Open Source Point of Sale application. This means that an attacker can craft a malicious web page that, when visited by a logged-in administrator, will automatically trigger actions as if the administrator initiated them. For example, an attacker could modify product prices, create fraudulent users with administrative privileges, or even delete critical data. The blast radius is significant, as a single compromised administrator account can grant an attacker control over the entire point-of-sale system. This vulnerability shares similarities with other CSRF exploits where inadequate input validation and authentication bypasses allow for unauthorized actions.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation given the explicit disabling of CSRF protection suggests a medium probability of exploitation. The vulnerability was publicly disclosed on December 17, 2025, and the vendor has released a patch.
Organizations utilizing Open Source Point of Sale versions 3.4.0 through 3.4.1, particularly those with limited security expertise or those relying on default configurations, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable, as a compromise of one user's account could potentially impact others.
• linux / server: Monitor access logs for unusual POST requests originating from external sources. Look for patterns indicative of CSRF attacks, such as requests targeting administrative endpoints with unexpected parameters.
grep -i 'admin/.*POST.*' /var/log/apache2/access.log• generic web: Use curl to test endpoints that require administrative privileges. Attempt to craft requests that modify data or perform actions without proper CSRF tokens.
curl -X POST -d 'param1=value1¶m2=value2' https://your-pos-instance/admin/endpoint• wordpress / composer / npm: While this vulnerability is not directly within WordPress, Composer, or npm, ensure that any plugins or modules interacting with the Open Source Point of Sale system are up-to-date and properly secured to prevent potential supply chain attacks.
disclosure
patch
Statut de l'Exploit
EPSS
0.13% (percentile 32%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-68434 is to immediately upgrade Open Source Point of Sale to version 3.4.2 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, review and restrict administrator access privileges to minimize the potential impact of a successful attack. Regularly audit user permissions and disable unnecessary accounts. While not a direct fix, enforcing strong password policies and multi-factor authentication can reduce the likelihood of an administrator account being compromised in the first place.
Mettez à jour Open Source Point of Sale à la version 3.4.2 ou supérieure. Cette version corrige la vulnérabilité CSRF en réactivant le filtre CSRF dans la configuration de l'application. Si vous ne pouvez pas mettre à jour immédiatement, vous pouvez activer manuellement le filtre CSRF dans `app/Config/Filters.php` en décommentant la ligne de protection, bien que cela puisse causer des problèmes dans le module de ventes.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-68434 is a Cross-Site Request Forgery (CSRF) vulnerability in Open Source Point of Sale versions 3.4.0–<3.4.2 where CSRF protection is explicitly disabled, allowing attackers to perform actions as an administrator.
You are affected if you are running Open Source Point of Sale versions 3.4.0 through 3.4.1. Verify your version and upgrade immediately.
Upgrade to version 3.4.2 or later. As a temporary workaround, implement a WAF with CSRF protection rules.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a medium probability of exploitation.
Refer to the official Open Source Point of Sale security advisory for detailed information and updates: [https://opensourcepos.org/security/advisories/](https://opensourcepos.org/security/advisories/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.