CVE-2025-63800
HIGHOpen Source Point of Sale 3.4.1 - Info Disclosure
Title source: llmDescription
The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts.
Scores
CVSS v3
7.5
EPSS
0.0029
EPSS Percentile
52.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Classification
CWE
CWE-521
Status
published
Affected Products (1)
opensourcepos/open_source_point_of_sale
Timeline
Published
Nov 18, 2025
Tracked Since
Feb 18, 2026