Improper Authorization in blair2004/nexopos-4x

Valid

Reported on

Sep 29th 2021


Description

No authorization in downloading customer export file.

Proof of Concept

  1. Access this link in browser without logging in: http://v4.nexopos.com/export/customers-list.csv
  2. See that you can download customer list file without logging in.

Impact

This vulnerability is capable of exposure of customer information.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Ziding Zhang
2 months ago

Admin


Hey ktg9, I've emailed the maintainers for you.

We have contacted a member of the blair2004/nexopos-4x team and are waiting to hear back 2 months ago
Blair Jersyer validated this vulnerability 2 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Blair Jersyer confirmed that a fix has been merged on 0138f9 2 months ago
Blair Jersyer has been awarded the fix bounty