Exposure of Sensitive Information to an Unauthorized Actor in blair2004/nexopos-4x


Reported on

Sep 29th 2021


Unhandled exception leads to exposure of server side and sql query information.

Proof of Concept

  1. Go to demo page http://v4.nexopos.com and login using demo account
  2. Go to Customer -> Create coupon and try to create a coupon without entering coupon code (leave it empty)
  3. See that the page pops up a modal disclosing server side information
  4. Here is a sample
    "message": "SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'code' cannot be null (SQL: update `ns_nexopos_coupons` set `name` = adf, `code` = ?, `ns_nexopos_coupons`.`updated_at` = 2021-09-29 02:16:41 where `id` = 1)",
    "exception": "Illuminate\\Database\\QueryException",
    "file": "/var/www/html/v4.nexopos.com/vendor/laravel/framework/src/Illuminate/Database/Connection.php",
    "line": 692,


This vulnerability is capable of exposure of server side information.

a year ago


Hey ktg9, I've emailed the maintainers for you.

We have contacted a member of the blair2004/nexopos-4x team and are waiting to hear back a year ago
Blair Jersyer
a year ago


Hi, thank you for reporting this. We'll take the necessary actions to have those fixed. Thanks.

Blair Jersyer
a year ago


The issue has been resolved with this commit : https://github.com/Blair2004/NexoPOS-4x/commit/e347d7410119f1296fff017554cf9507dc16764f

Blair Jersyer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Blair Jersyer confirmed that a fix has been merged on e347d7 a year ago
Blair Jersyer has been awarded the fix bounty
to join this conversation