CVE-2022-40289 – Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via file upload and download functionality.
https://notcve.org/view.php?id=CVE-2022-40289
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files. La aplicación era vulnerable a un Stored Cross-Site Scripting (XSS) autenticado en la funcionalidad de carga y descarga, que podría aprovecharse para escalar privilegios o comprometer cualquier cuenta a la que puedan obligar a observar los archivos de destino. • https://www.themissinglink.com.au/security-advisories/cve-2022-40289 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-40292 – Unauthenticated username enumeration in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40292
The application allowed for Unauthenticated User Enumeration by interacting with an unsecured endpoint to retrieve information on each account within the system. La aplicación permitía la Enumeración de Usuarios No Autenticados interactuando con un endpoint no seguro para recuperar información sobre cada cuenta dentro del sistema. • https://www.themissinglink.com.au/security-advisories/cve-2022-40292 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2022-40291 – Cross-site request forgery (CSRF) in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC
https://notcve.org/view.php?id=CVE-2022-40291
The application was vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to coerce users into sending malicious requests to the site to delete their account, or in rare circumstances, hijack their account and create other admin accounts. La aplicación era vulnerable a ataques de Cross-Site Request Forgery (CSRF), lo que permitía a un atacante obligar a los usuarios a enviar solicitudes maliciosas al sitio para eliminar su cuenta o, en circunstancias excepcionales, secuestrar su cuenta y crear otras cuentas de administrador. • https://www.themissinglink.com.au/security-advisories/cve-2022-40291 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-40293 – Session fixation in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40293
The application was vulnerable to a session fixation that could be used hijack accounts. La aplicación era vulnerable a una fijación de sesión que podría usarse para secuestrar cuentas. • https://www.themissinglink.com.au/security-advisories/cve-2022-40293 • CWE-384: Session Fixation •
CVE-2022-40288 – Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via messaging functionality
https://notcve.org/view.php?id=CVE-2022-40288
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile. La aplicación era vulnerable a Stored Cross-Site Scripting (XSS) autenticado en los campos de datos del perfil de usuario, que podría aprovecharse para escalar privilegios y comprometer cualquier cuenta que vea su perfil de usuario. • https://www.themissinglink.com.au/security-advisories/cve-2022-40288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •