CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40294 – CSV Injection in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC
https://notcve.org/view.php?id=CVE-2022-40294
31 Oct 2022 — The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers. Se identificó que la aplicación tenía una inyección CSV en la funcionalidad de exportación de datos, lo que permitía incrustar código malicioso en los datos exportados y luego activarlos en los visores de datos exportados. • https://www.themissinglink.com.au/security-advisories/cve-2022-40294 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40290 – Reflected cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40290
31 Oct 2022 — The application was vulnerable to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in the barcode generation functionality, allowing attackers to generate an unsafe link that could compromise users. La aplicación era vulnerable a una vulnerabilidad de Cross-Site Scripting (XSS) Reflejado no autenticadas en la funcionalidad de generación de códigos de barras, lo que permitía a los atacantes generar un enlace inseguro que podría comprometer a los usuarios. • https://www.themissinglink.com.au/security-advisories/cve-2022-40290 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40295 – Authenticated sensitive information disclosure in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40295
31 Oct 2022 — The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks. La aplicación era vulnerable a una divulgación de información autenticada, lo que permitía a los administradores ver contraseñas de usuario sin vector de inicialización, lo que podría comprometer las contraseñas en texto plano a través de ataques fuera de línea. • https://www.themissinglink.com.au/security-advisories/cve-2022-40295 • CWE-311: Missing Encryption of Sensitive Data CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40287 – Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via user profile data fields.
https://notcve.org/view.php?id=CVE-2022-40287
31 Oct 2022 — The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a targeted account. Se descubrió que la aplicación era vulnerable a una vulnerabilidad de Stored Cross-Site Scripting (XSS) autenticadas en la funcionalidad de mensajería, lo que provocaba una escalada de privilegios o el compromiso de una cuenta específica. The application was found to be vulnerable to an authenticated ... • https://www.themissinglink.com.au/security-advisories/cve-2022-40287 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40296 – Server-side request forgery (SSRF) in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40296
31 Oct 2022 — The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading to attacks in other downstream systems. La aplicación era vulnerable a ataques de Server-Side Request Forgery (SSRF), lo que permitía que el servidor de backend interactuara con endpoints inesperados, incluidos potencialmente servicios internos y locales, lo que provocaba ataques en otros sistemas posteriores. • https://www.themissinglink.com.au/security-advisories/cve-2022-40296 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40289 – Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via file upload and download functionality.
https://notcve.org/view.php?id=CVE-2022-40289
31 Oct 2022 — The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files. La aplicación era vulnerable a un Stored Cross-Site Scripting (XSS) autenticado en la funcionalidad de carga y descarga, que podría aprovecharse para escalar privilegios o comprometer cualquier cuenta a la que puedan obligar a observar los archivos de destino... • https://www.themissinglink.com.au/security-advisories/cve-2022-40289 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40292 – Unauthenticated username enumeration in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40292
31 Oct 2022 — The application allowed for Unauthenticated User Enumeration by interacting with an unsecured endpoint to retrieve information on each account within the system. La aplicación permitía la Enumeración de Usuarios No Autenticados interactuando con un endpoint no seguro para recuperar información sobre cada cuenta dentro del sistema. • https://www.themissinglink.com.au/security-advisories/cve-2022-40292 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40291 – Cross-site request forgery (CSRF) in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC
https://notcve.org/view.php?id=CVE-2022-40291
31 Oct 2022 — The application was vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to coerce users into sending malicious requests to the site to delete their account, or in rare circumstances, hijack their account and create other admin accounts. La aplicación era vulnerable a ataques de Cross-Site Request Forgery (CSRF), lo que permitía a un atacante obligar a los usuarios a enviar solicitudes maliciosas al sitio para eliminar su cuenta o, en circunstancias excepcionales, secuestrar su cuen... • https://www.themissinglink.com.au/security-advisories/cve-2022-40291 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40293 – Session fixation in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40293
31 Oct 2022 — The application was vulnerable to a session fixation that could be used hijack accounts. La aplicación era vulnerable a una fijación de sesión que podría usarse para secuestrar cuentas. • https://www.themissinglink.com.au/security-advisories/cve-2022-40293 • CWE-384: Session Fixation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40288 – Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via messaging functionality
https://notcve.org/view.php?id=CVE-2022-40288
31 Oct 2022 — The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile. La aplicación era vulnerable a Stored Cross-Site Scripting (XSS) autenticado en los campos de datos del perfil de usuario, que podría aprovecharse para escalar privilegios y comprometer cualquier cuenta que vea su perfil de usuario. • https://www.themissinglink.com.au/security-advisories/cve-2022-40288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •