Cross-Site Request Forgery Vulnerability in Open Source Point of Sale by Open Source POS
CVE-2025-68434

8.8HIGH

Key Information:

Vendor

Opensourcepos

Status
Opensourcepos
Vendor
CVE Published:
17 December 2025

What is CVE-2025-68434?

A serious Cross-Site Request Forgery (CSRF) vulnerability exists in Open Source Point of Sale, affecting versions 3.4.0 to 3.4.1. The CSRF protection was explicitly disabled, allowing attackers to perform state-changing actions via unauthorized requests. If a logged-in administrator accesses a malicious webpage, it can result in unauthorized creation of a new administrator account with full system privileges. This exploits the lack of CSRF token verification, putting the application at high risk for potential takeover and subsequent exposure of sensitive data. The issue has been addressed in version 3.4.2, which re-enables CSRF protection and resolves prior AJAX race conditions.

Affected Version(s)

opensourcepos >= 3.4.0, < 3.4.2

References

https://github.com/opensourcepos/opensourcepos/security/a...
x_refsource_CONFIRM
https://github.com/opensourcepos/opensourcepos/pull/4349
x_refsource_MISC
https://github.com/opensourcepos/opensourcepos/commit/d57...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-68434 : Cross-Site Request Forgery Vulnerability in Open Source Point of Sale by Open Source POS