[CVE-2022–34578] Open Source Point of Sale v3.3.7— File Upload Cross-Site Scripting

Jun 23, 2022


# An Issue is discoverd in Open Source Point of Sale v3.3.7.

#We found a vulnerability file upload, when we upload malicious file at Update Branding Settings page.

Payload Attack


Proof of Concept

First, we login to the target application with admin privileges.

Then we click at the Pelanggan icon as show in the picture.

We select “Buat Barang Baru” menu.

At Favicon, click “Seleccionar Imagen” for select a file.

Browse the file where we prepared the payload XSS Then click “Baru” for saving a file.

After uploading the file The file will appear in a new row in the table.

We found the XSS!


Grim The Ripper Team by SOSECURE Thailand




You get the best out of others when you give the best of yourself