CVE-2025-68434

CVE-2025-68434 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Open Source Point of Sale (opensourcepos) application. This web-based point-of-sale system, written in PHP using the CodeIgniter framework, explicitly disabled its CSRF protection mechanism in the filter configuration starting from version 3.4.0 and prior to version 3.4.2. As a result, the application processes state-changing POST requests without verifying a valid CSRF token, exposing it to unauthorized actions.

An unauthenticated remote attacker can exploit this vulnerability by hosting a malicious web page. If a logged-in administrator visits the page, their browser is tricked into sending unauthorized POST requests to the opensourcepos application. A successful exploit silently creates a new Administrator account with full privileges, enabling complete system takeover and compromising confidentiality, integrity, and availability. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility and low complexity, though it requires user interaction.

The vulnerability is patched in version 3.4.2, which re-enables the CSRF filter in app/Config/Filters.php and addresses related AJAX race conditions through adjusted token regeneration settings. As a workaround, administrators can manually re-enable the CSRF filter by uncommenting the relevant line in app/Config/Filters.php, but this is not recommended without the full patch, as it may break functionality in the Sales module due to token synchronization issues. Official details are available in the GitHub security advisory (GHSA-wjm4-hfwg-5w5r), pull request #4349, and the fixing commit d575c8da9a1d7af8313a1e758e000e243f5614ef.