CVE-2025-63800
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensourcepos | open_source_point_of_sale | 3.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-521 | The product does not require that users should have strong passwords. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Open Source Point of Sale 3.4.1 where the password change endpoint allows users to set their password to an empty string because the server does not validate the password fields properly. If an authenticated user submits a password change request with empty 'password' and 'repeat_password' parameters, the system accepts it and sets the password to empty, effectively disabling authentication for that account.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized access to user or administrative accounts by disabling their passwords. Attackers or malicious users could exploit this to gain access without needing a valid password, potentially compromising sensitive data or system control.