Headline
CVE-2022-40289: Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via file upload and download functionality.
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files.
Discovered by Edward Prior on behalf of The Missing Link Security
Vulnerability Details
The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in the upload and download functionality. Which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files.
Affected Versions
Discovered in: 19.0
Fixed Versions
Fixed In: 19.0 minor release