Improper Authorization in blair2004/nexopos-4x


Reported on

Sep 29th 2021


No authorization in downloading customer export file.

Proof of Concept

  1. Access this link in browser without logging in:
  2. See that you can download customer list file without logging in.


This vulnerability is capable of exposure of customer information.

We created a GitHub Issue asking the maintainers to create a 2 years ago
2 years ago


Hey ktg9, I've emailed the maintainers for you.

We have contacted a member of the blair2004/nexopos-4x team and are waiting to hear back 2 years ago
Blair Jersyer validated this vulnerability 2 years ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Blair Jersyer marked this as fixed with commit 0138f9 2 years ago
Blair Jersyer has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation