CVE-2022-40288

The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.themissinglink.com.au/security-advisories/cve-2022-40288	Third Party Advisory
https://www.themissinglink.com.au/security-advisories/cve-2022-40288	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:phppointofsale:php_point_of_sale:19.0:*:*:*:*:*:*:*

History

21 Nov 2024, 07:21

Type	Values Removed	Values Added
References	~~() https://www.themissinglink.com.au/security-advisories/cve-2022-40288 - Third Party Advisory~~	() https://www.themissinglink.com.au/security-advisories/cve-2022-40288 - Third Party Advisory

Information

Published : 2022-10-31 21:15

Updated : 2025-05-06 20:15

NVD link : CVE-2022-40288

Mitre link : CVE-2022-40288

CVE.ORG link : CVE-2022-40288

JSON object : View

Products Affected

phppointofsale

php_point_of_sale

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-40288", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2022-10-31T21:15:12.790", "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-40288", "tags": ["Third Party Advisory"], "source": "vdp@themissinglink.com.au"}, {"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-40288", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "vdp@themissinglink.com.au", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "\nThe application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile.\n\n"}, {"lang": "es", "value": "La aplicaci\u00f3n era vulnerable a Stored Cross-Site Scripting (XSS) autenticado en los campos de datos del perfil de usuario, que podr\u00eda aprovecharse para escalar privilegios y comprometer cualquier cuenta que vea su perfil de usuario.\n"}], "lastModified": "2025-05-06T20:15:23.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:phppointofsale:php_point_of_sale:19.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CE86DBF-3841-4144-B646-FB22C2E12758"}], "operator": "OR"}]}], "sourceIdentifier": "vdp@themissinglink.com.au"}