mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-04-02 06:14:51 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
34986c8e4e1fa36378980314c6c81331c179f1a5
opensourcepos/app/Controllers
History
Ollama 34986c8e4e Fix business logic vulnerability allowing negative sale totals 
An authenticated employee with sales permission could:
- Create negative-total sales (store "pays" the customer)
- Set discounts > 100% for negative-total effect
- Bypass inventory controls with negative quantities

This fix adds validation in:
- postEditItem(): validates discount <= 100% for percentage discounts,
  discount <= item total for fixed discounts, and non-negative price/quantity/discount
- postComplete(): blocks sale completion if total is negative (exceptions for returns)

CVSS v3.1: 6.5 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
2026-03-24 19:03:27 +00:00
..
Attributes.php
Add SHOW_IN_SEARCH flag to separate attribute search from visibility
2026-03-19 21:30:52 +00:00
BaseController.php
Feature bump ci to 4.6.0 (#4197)
2025-04-03 14:16:06 +04:00
Cashups.php
Add filter persistence for table views via URL query string (#4400)
2026-03-11 20:11:00 +01:00
Config.php
Fix SQL injection in suggestions column configuration (#4421)
2026-03-13 18:13:54 +00:00
Customers.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Employees.php
Refactor: Move ADMIN_MODULES to constants, rename methods to camelCase
2026-03-06 17:25:25 +01:00
Expenses_categories.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Expenses.php
Fix review comments: remove redundant loop and add XSS escaping
2026-03-17 15:32:16 +00:00
Giftcards.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Home.php
Fix IDOR vulnerability in password change (GHSA-mcc2-8rp2-q6ch) (#4427)
2026-03-13 12:13:21 +01:00
index.html
Replace tabs with spaces (#4196)
2025-03-28 21:24:21 +04:00
Item_kits.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Items.php
style: Apply PSR-12 formatting
2026-03-19 21:30:53 +00:00
Login.php
Improve code style and PSR-12 compliance (#4204)
2025-05-02 19:37:06 +02:00
Messages.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
No_access.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Office.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Persons.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Receivings.php
Fix: Restrict employee selection in expenses and receivings forms
2026-03-17 15:32:16 +00:00
Reports.php
Fix DECIMAL attribute not respecting locale format (#4422)
2026-03-13 21:23:52 +00:00
Sales.php
Fix business logic vulnerability allowing negative sale totals
2026-03-24 19:03:27 +00:00
Secure_Controller.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Suppliers.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Tax_categories.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Tax_codes.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Tax_jurisdictions.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00
Taxes.php
Use Content-Type application/json for AJAX responses (#4357)
2026-03-04 21:42:35 +01:00