[CVE-2022–34578] Open Source Point of Sale v3.3.7— File Upload Cross-Site Scripting
# An Issue is discoverd in Open Source Point of Sale v3.3.7.
#We found a vulnerability file upload, when we upload malicious file at Update Branding Settings page.
Proof of Concept
First, we login to the target application with admin privileges.
Then we click at the Pelanggan icon as show in the picture.
We select “Buat Barang Baru” menu.
At Favicon, click “Seleccionar Imagen” for select a file.
Browse the file where we prepared the payload XSS Then click “Baru” for saving a file.
After uploading the file The file will appear in a new row in the table.
We found the XSS!
Grim The Ripper Team by SOSECURE Thailand