CVE-2022-40289 Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via file upload and download functionality.

2022-10-3120:07:42

CWE-79

TML

www.cve.org

php point of sale

stored xss

file upload

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.9%

JSON

The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "PHP Point of Sale",
    "vendor": "PHP Point of Sale LLC",
    "versions": [
      {
        "status": "affected",
        "version": "0"
      }
    ]
  }
]

References

www.themissinglink.com.au/security-advisories/cve-2022-40289