Improper Authorization in blair2004/nexopos-4x


Reported on

Sep 29th 2021


No authorization in downloading customer export file.

Proof of Concept

  1. Access this link in browser without logging in:
  2. See that you can download customer list file without logging in.


This vulnerability is capable of exposure of customer information.

We created a GitHub Issue asking the maintainers to create a a year ago
a year ago


Hey ktg9, I've emailed the maintainers for you.

We have contacted a member of the blair2004/nexopos-4x team and are waiting to hear back a year ago
Blair Jersyer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Blair Jersyer confirmed that a fix has been merged on 0138f9 a year ago
Blair Jersyer has been awarded the fix bounty
to join this conversation