{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T07:58:07.671","vulnerabilities":[{"cve":{"id":"CVE-2026-33730","sourceIdentifier":"security-advisories@github.com","published":"2026-03-27T01:16:20.577","lastModified":"2026-04-01T15:05:18.343","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows an authenticated low-privileged user to access the password change functionality of other users, including administrators, by manipulating the `employee_id` parameter. The application does not verify object ownership or enforce authorization checks. Version 3.4.2 adds object-level authorization checks to validate that the current user owns the employee_id being accessed."},{"lang":"es","value":"Open Source Point of Sale (opensourcepos) es una aplicación de punto de venta basada en la web escrita en PHP utilizando el framework CodeIgniter. Antes de la versión 3.4.2, una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) permite a un usuario autenticado con bajos privilegios acceder a la funcionalidad de cambio de contraseña de otros usuarios, incluidos los administradores, manipulando el parámetro 'employee_id'. La aplicación no verifica la propiedad del objeto ni aplica comprobaciones de autorización. La versión 3.4.2 añade comprobaciones de autorización a nivel de objeto para validar que el usuario actual es propietario del 'employee_id' al que se accede."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:opensourcepos:open_source_point_of_sale:*:*:*:*:*:*:*:*","versionEndExcluding":"3.4.2","matchCriteriaId":"401D867E-4CA1-48F9-9C5D-492BCAAC8106"}]}]}],"references":[{"url":"https://github.com/opensourcepos/opensourcepos/commit/ee4d44ed396097d6010c5490ab4fd7cfae694624","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-mcc2-8rp2-q6ch","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}