Vulnerability Details : CVE-2022-40295
The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.
Vulnerability category: Information leak
Products affected by CVE-2022-40295
- cpe:2.3:a:phppointofsale:php_point_of_sale:19.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-40295
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-40295
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
NIST |
CWE ids for CVE-2022-40295
-
The product does not encrypt sensitive or critical information before storage or transmission.Assigned by: nvd@nist.gov (Primary)
-
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Assigned by: vdp@themissinglink.com.au (Secondary)
References for CVE-2022-40295
-
https://www.themissinglink.com.au/security-advisories/cve-2022-40295
Authenticated sensitive information disclosure in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC.Third Party Advisory
Jump to