Improper Authorization in blair2004/nexopos-4x


Reported on

Sep 29th 2021


No authorization in downloading customer export file.

Proof of Concept

  1. Access this link in browser without logging in:
  2. See that you can download customer list file without logging in.


This vulnerability is capable of exposure of customer information.

We created a GitHub Issue asking the maintainers to create a 2 months ago
Ziding Zhang
2 months ago


Hey ktg9, I've emailed the maintainers for you.

We have contacted a member of the blair2004/nexopos-4x team and are waiting to hear back 2 months ago
Blair Jersyer validated this vulnerability 2 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Blair Jersyer confirmed that a fix has been merged on 0138f9 2 months ago
Blair Jersyer has been awarded the fix bounty