Headline
CVE-2022-34578: Open Source Point of Sale v3.3.7— File Upload Cross-Site Scripting
Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.
Description
# An Issue is discoverd in Open Source Point of Sale v3.3.7.
#We found a vulnerability file upload, when we upload malicious file at Update Branding Settings page.
Payload Attack
https://github.com/bypazs/GrimTheRipper
Proof of Concept
First, we login to the target application with admin privileges.
Then we click at the Pelanggan icon as show in the picture.
We select “Buat Barang Baru” menu.
At Favicon, click “Seleccionar Imagen” for select a file.
Browse the file where we prepared the payload XSS Then click “Baru” for saving a file.
After uploading the file The file will appear in a new row in the table.
We found the XSS!
Author
Grim The Ripper Team by SOSECURE Thailand