Executive Summary

CVE-2026-33730 is an Insecure Direct Object Reference (IDOR) vulnerability in the Open Source Point of Sale (opensourcepos) application versions up to 3.4.1. It allows an authenticated low-privileged user to manipulate the `employee_id` parameter in password change requests to access and change the password of other users, including administrators.

This happens because the application does not verify object ownership or enforce authorization checks on the password change endpoints, allowing unauthorized users to access password change forms and submit password changes for other users.

The vulnerability was fixed in version 3.4.2 by adding object-level authorization checks to ensure users can only modify their own passwords unless they are administrators.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access or modify the password change functionality of other users by manipulating the `employee_id` parameter in the affected endpoints while authenticated as a low-privileged user.

Specifically, you can test the following endpoints by logging in as a non-administrative user and then modifying the `employee_id` in the request URL to that of another user (e.g., an administrator):

• GET /home/changePassword/{employee_id}
• POST /home/save/{employee_id}

If the server responds with HTTP 200 OK and returns the password change form or accepts the password change for the targeted user, the vulnerability is present.

Example commands using curl to test the vulnerability could be:

• curl -i -b cookies.txt "https://targetsite/home/changePassword/ADMIN_EMPLOYEE_ID"
• curl -i -b cookies.txt -X POST -d "password=newpass&confirm_password=newpass" "https://targetsite/home/save/ADMIN_EMPLOYEE_ID"

Here, `cookies.txt` contains the authentication cookies of a low-privileged user, and `ADMIN_EMPLOYEE_ID` is replaced with the employee ID of another user. Receiving a 200 OK response and the ability to change the password indicates the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Open Source Point of Sale application to version 3.4.2 or later, where the vulnerability is patched.

The patch enforces strict object-level authorization checks ensuring that non-admin users can only change their own passwords, while admin users retain the ability to change any user's password.

If upgrading immediately is not possible, consider implementing temporary access controls or monitoring to detect unauthorized attempts to access or modify other users' password change endpoints.

Specifically, ensure that the application returns HTTP 403 Forbidden responses for unauthorized access attempts instead of allowing access or redirecting.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized password changes by low-privileged authenticated users, including the ability to change administrator passwords. This unauthorized modification of user credentials can lead to privilege escalation and potential account takeover.

Such unauthorized access and modification of user accounts could result in violations of common security and privacy standards like GDPR and HIPAA, which require strict access controls and protection of user data to prevent unauthorized access and ensure data integrity.

By failing to enforce proper authorization checks, the application risks non-compliance with these regulations, potentially exposing sensitive user information and administrative controls to unauthorized users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized account manipulation, including changing passwords of other users without permission.

It enables privilege escalation where a low-privileged user can potentially take over administrator accounts by changing their passwords.

Such unauthorized password changes can result in account takeover, loss of control over critical accounts, and compromise of the system's integrity.

Useful 0 Not Useful 0