← back
CVE-2025-63800

CVE-2025-63800

CVSS 7.5 HIGHEPSS 0.4%CWE-521
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
18 Nov 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-63800https://github.com/opensourcepos/opensourceposhttps://opensourcepos.org/