Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2022-40294: Authenticated incubated vulnerability in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.

CVE
Open in Source
#vulnerability#intel#php#auth
CVE-2022-40289: Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via file upload and download functionality.

The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files.

CVE-2022-40291: Cross-site request forgery (CSRF) in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

The application was vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to coerce users into sending malicious requests to the site to delete their account, or in rare circumstances, hijack their account and create other admin accounts.

CVE-2022-40288: Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via messaging functionality.

The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile.

CVE-2022-40287: Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via user profile data fields.

The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a targeted account.

CVE-2022-40290: Reflected cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

The application was vulnerable to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in the barcode generation functionality, allowing attackers to generate an unsafe link that could compromise users.

CVE-2022-40292: Unauthenticated username enumeration in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

The application allowed for Unauthenticated User Enumeration by interacting with an unsecured endpoint to retrieve information on each account within the system.

CVE-2022-40293: Session fixation in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.

The application was vulnerable to a session fixation that could be used hijack accounts.

CVE-2022-42925: Multiple vulnerabilities in Forma LMS

There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a remote code injection.

GHSA-vqvm-qrwh-69h7: easyii CMS's File Upload Management vulnerable to unrestricted upload

This issue affects the function file of the file helpers/Upload.php of the component File Upload Management. The manipulation leads to unrestricted upload. The attack may be initiated remotely.