CVE-2022-40295

Published Oct 31, 2022

Last updated 4 months ago

CVSS medium 4.9

Overview

Description
The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.
Source
vdp@themissinglink.com.au
NVD status
Modified
Products
php_point_of_sale

Risk scores

CVSS 3.1

Type
Primary
Base score
4.9
Impact score
3.6
Exploitability score
1.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

vdp@themissinglink.com.au
CWE-916
nvd@nist.gov
CWE-311

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters.CVE-2025-41011
  2. Directory traversal vulnerability in index.php in PHP Point Of Sale for osCommerce 1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cfg_language parameter. NOTE: this issue has been disputed by CVE, since the cfg_language variable is configured upon proper product installationCVE-2007-1477

References

Sources include official advisories and independent security research.