Vulnerabilities > Phppointofsale

DATE CVE VULNERABILITY TITLE RISK
2022-10-31 CVE-2022-40287 Cross-site Scripting vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a targeted account.
network
low complexity
phppointofsale CWE-79
critical
9.0
2022-10-31 CVE-2022-40288 Cross-site Scripting vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile.
network
low complexity
phppointofsale CWE-79
critical
9.0
2022-10-31 CVE-2022-40289 Cross-site Scripting vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files.
network
low complexity
phppointofsale CWE-79
critical
9.0
2022-10-31 CVE-2022-40290 Cross-site Scripting vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application was vulnerable to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in the barcode generation functionality, allowing attackers to generate an unsafe link that could compromise users.
network
low complexity
phppointofsale CWE-79
6.1
2022-10-31 CVE-2022-40291 Cross-Site Request Forgery (CSRF) vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application was vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to coerce users into sending malicious requests to the site to delete their account, or in rare circumstances, hijack their account and create other admin accounts.
network
low complexity
phppointofsale CWE-352
8.8
2022-10-31 CVE-2022-40292 Information Exposure Through an Error Message vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application allowed for Unauthenticated User Enumeration by interacting with an unsecured endpoint to retrieve information on each account within the system.
network
low complexity
phppointofsale CWE-209
5.3
2022-10-31 CVE-2022-40293 Session Fixation vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application was vulnerable to a session fixation that could be used hijack accounts.
network
low complexity
phppointofsale CWE-384
critical
9.8
2022-10-31 CVE-2022-40294 Improper Neutralization of Formula Elements in a CSV File vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.
network
low complexity
phppointofsale CWE-1236
8.8
2022-10-31 CVE-2022-40295 Missing Encryption of Sensitive Data vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.
network
low complexity
phppointofsale CWE-311
4.9
2022-10-31 CVE-2022-40296 Server-Side Request Forgery (SSRF) vulnerability in PHPpointofsale PHP Point of Sale 19.0
The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading to attacks in other downstream systems.
network
low complexity
phppointofsale CWE-918
critical
9.8