CVE-2023-24320

Vulnerability

Axcora POS version #0~gitf77ec09, available at https://github.com/mesinkasir/posapp, suffers from a broken access control vulnerability [1]. The software fails to enforce authentication for critical endpoints such as saveproduct.php, allowing any unauthenticated user to access and manipulate product data [1]. Additionally, user-supplied input is not sanitized, which can lead to cross-site scripting (XSS) attacks [1].

Exploitation

An attacker does not require any authentication or prior access to the system [1]. The published proof of concept demonstrates how an attacker can send a crafted HTTP POST request to the saveproduct.php endpoint with arbitrary product fields (e.g., barcode, name, price, quantity) to create a new product entry [1]. The lack of input sanitization also enables injection of malicious scripts through fields like name (e.g., x), enabling stored XSS attacks that would execute in the browser of any user viewing the product list [1].

Impact

Successful exploitation allows an unauthenticated attacker to create, update, or delete products in the Axcora POS system, effectively compromising the integrity and availability of the point-of-sale data [1]. The attacker may also execute arbitrary JavaScript in the context of other users' sessions via stored XSS, leading to further account compromise or data theft [1]. The impact is limited to the application's database and user interactions, but the attacker does not gain full system-level access [1].

Mitigation

No official patch or fixed version has been released by the vendor (mesinkasir) as of the publication date [1]. The only mitigation is to restrict network access to the Axcora POS application to trusted users only, implement a web application firewall, and manually add authentication checks to the vulnerable endpoints (e.g., saveproduct.php) [1]. Users should monitor for updates from the vendor and apply any security patches as soon as they become available [1].