Improper Authorization in blair2004/nexopos-4x

Valid

Reported on

Sep 29th 2021

Description

No authorization in downloading customer export file.

Access this link in browser without logging in: http://v4.nexopos.com/export/customers-list.csv
See that you can download customer list file without logging in.

This vulnerability is capable of exposure of customer information.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

commented 2 years ago

Admin

Hey ktg9, I've emailed the maintainers for you.

We have contacted a member of the blair2004/nexopos-4x team and are waiting to hear back 2 years ago

Blair Jersyer validated this vulnerability 2 years ago

M0rphling has been awarded the disclosure bounty

The fix bounty is now up for grabs

Blair Jersyer marked this as fixed with commit 0138f9 2 years ago

This vulnerability will not receive a CVE

to join this conversation