CVE-2022-40294 – CSV Injection in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC
https://notcve.org/view.php?id=CVE-2022-40294
The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers. Se identificó que la aplicación tenía una inyección CSV en la funcionalidad de exportación de datos, lo que permitía incrustar código malicioso en los datos exportados y luego activarlos en los visores de datos exportados. • https://www.themissinglink.com.au/security-advisories/cve-2022-40294 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2022-40290 – Reflected cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40290
The application was vulnerable to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in the barcode generation functionality, allowing attackers to generate an unsafe link that could compromise users. La aplicación era vulnerable a una vulnerabilidad de Cross-Site Scripting (XSS) Reflejado no autenticadas en la funcionalidad de generación de códigos de barras, lo que permitía a los atacantes generar un enlace inseguro que podría comprometer a los usuarios. • https://www.themissinglink.com.au/security-advisories/cve-2022-40290 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-40295 – Authenticated sensitive information disclosure in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40295
The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks. La aplicación era vulnerable a una divulgación de información autenticada, lo que permitía a los administradores ver contraseñas de usuario sin vector de inicialización, lo que podría comprometer las contraseñas en texto plano a través de ataques fuera de línea. • https://www.themissinglink.com.au/security-advisories/cve-2022-40295 • CWE-311: Missing Encryption of Sensitive Data CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVE-2022-40287 – Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via user profile data fields.
https://notcve.org/view.php?id=CVE-2022-40287
The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a targeted account. Se descubrió que la aplicación era vulnerable a una vulnerabilidad de Stored Cross-Site Scripting (XSS) autenticadas en la funcionalidad de mensajería, lo que provocaba una escalada de privilegios o el compromiso de una cuenta específica. • https://www.themissinglink.com.au/security-advisories/cve-2022-40287 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-40296 – Server-side request forgery (SSRF) in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.
https://notcve.org/view.php?id=CVE-2022-40296
The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading to attacks in other downstream systems. La aplicación era vulnerable a ataques de Server-Side Request Forgery (SSRF), lo que permitía que el servidor de backend interactuara con endpoints inesperados, incluidos potencialmente servicios internos y locales, lo que provocaba ataques en otros sistemas posteriores. • https://www.themissinglink.com.au/security-advisories/cve-2022-40296 • CWE-918: Server-Side Request Forgery (SSRF) •