CVE-2023-36347
Description
A broken authentication mechanism in the endpoint excel.php of POS Codekop v2.0 allows unauthenticated attackers to download selling data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can download selling data from POS Codekop v2.0 via the broken authentication in excel.php.
Vulnerability
In POS Codekop v2.0, the endpoint /excel.php lacks proper authentication checks, allowing unauthenticated access. This endpoint is used for exporting selling data to an Excel file. The affected version is 2.0 (commit ebc5c29). [1]
Exploitation
An attacker can directly access the excel.php endpoint without any authentication. No prior access or user interaction is required. The attack can be performed remotely over HTTP by simply navigating to the URL or using tools like cURL. [1]
Impact
An unauthenticated attacker can download the entire selling data, which includes sensitive sales records. This leads to information disclosure of business transactions. [1]
Mitigation
As of the disclosure date (June 2023), no official patch has been released. Users should implement authentication checks for the excel.php endpoint, such as requiring a valid session or API key. Consider restricting access to authorized IPs until a fix is available. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- POS Codekop/POS Codekopdescription
- Range: = 2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.