NexoPOS 6.0.8

[Blair2004]

Urgent Security Update Available: Please Update Your NexoPOS Module Immediately

We have released a critical security update for your NexoPOS. We urge all users, especially those running self-hosted environments, to update immediately to protect their data and maintain application stability.

v6.0.7 and - Security & Stability Patch

This urgent release addresses two critical security vulnerabilities related to the application's initial setup process. These vulnerabilities could potentially cause a Denial of Service (DoS) or unauthorized configuration changes.

Key Fixes in This Update: **Critical Access Control Fix: We have restricted access to the Setup API endpoints (/api/setup/database) after installation. This prevents unauthorized, unauthenticated users from interacting with these internal configuration tools. **

** Security Hardening of Configuration: ** We have patched a critical vulnerability that allowed for the injection of arbitrary values into the application's configuration file (.env) via the setup process, which could have exposed sensitive credentials or led to a complete database connection break (DoS).

Action Required:

Please update your NexoPOS module to the latest version as soon as possible to ensure your environment is fully protected.

Thank you for taking the time to look into this matter. Your security is our top priority.

Full Changelog: v6.0.7...v6.0.8

---

This discussion was created from the release NexoPOS 6.0.8.

[ayoub-hs]

i had an issue in 6.0.5 where i couldn't remove an item from held order it throws a permission error although i'm admin.
i fixed it with this procedure . i don't know if it persist in this version
php artisan tinker
$user = \App\Models\User::find(99);

q

\App\Models\PermissionAccess::where('requester_id', $user->id)->where('permission', 'nexopos.pos.delete-order-product')->where('status', 'pending')->delete();

add these lines in permissionaccess.php in line 19

protected $fillable = [
    'requester_id',
    'granter_id',
    'status',
    'permission',
    'url',
    'approved_at',
    'expired_at',
];

then proceed in tinker

$access=\App\Models\PermissionAccess::create(['requester_id'=>$user->id,'granter_id' =>$user->id,'status'=>\App\Models\PermissionAccess::GRANTED,'permission' =>'nexopos.pos.delete-order-product','expired_at'=>now()->addMinutes(30),]);

exit

php artisan optimize:clear
php artisan cache:clear