PhppointofsaleCVEs & Vulnerabilities

11 CVEs affecting Phppointofsale products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

php point of sale 11
CVE-2022-40296CRITICAL

The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading to attacks in other downstream systems.

1 Nov 2022
9.8
CVSS
CVE-2022-40295MEDIUM

The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.

1 Nov 2022
4.9
CVSS
CVE-2022-40294HIGH

The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.

1 Nov 2022
8.8
CVSS
CVE-2022-40293CRITICAL

The application was vulnerable to a session fixation that could be used hijack accounts.

1 Nov 2022
9.8
CVSS
CVE-2022-40292MEDIUM

The application allowed for Unauthenticated User Enumeration by interacting with an unsecured endpoint to retrieve information on each account within the system.

1 Nov 2022
5.3
CVSS
CVE-2022-40291HIGH

The application was vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to coerce users into sending malicious requests to the site to delete their account, or in rare circumstances, hijack their account and create other admin accounts.

1 Nov 2022
8.8
CVSS
CVE-2022-40290MEDIUM

The application was vulnerable to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in the barcode generation functionality, allowing attackers to generate an unsafe link that could compromise users.

1 Nov 2022
6.1
CVSS
CVE-2022-40289CRITICAL

The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files.

1 Nov 2022
9.0
CVSS
CVE-2022-40288CRITICAL

The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile.

1 Nov 2022
9.0
CVSS
CVE-2022-40287CRITICAL

The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a targeted account.

1 Nov 2022
9.0
CVSS
CVE-2011-3785MEDIUM

PHP Point Of Sale (POS) 10.7 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by system/scaffolding/views/view.php and certain other files.

24 Sep 2011
5.0
CVSS
← PrevPage 1 / 1Next →