CVE-2025-63800 — HIGH (7.5)

Vulnerability Description

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Opensourcepos	Open Source Point Of Sale	3.4.1

Related Weaknesses (CWE)

CWE-521

References

https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-63800ExploitThird Party Advisory
https://github.com/opensourcepos/opensourceposProduct
https://opensourcepos.org/Product

FAQ

What is CVE-2025-63800?

CVE-2025-63800 is a vulnerability with a CVSS score of 7.5 (HIGH). The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or...

How severe is CVE-2025-63800?

CVE-2025-63800 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-63800?

Check the references section above for vendor advisories and patch information. Affected products include: Opensourcepos Open Source Point Of Sale.