CVE-2022-40295

Published: Oct 31, 2022Modified: Feb 25, 2026

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.

Affected (1)

Products: Phppointofsale: Php Point Of Sale

Phppointofsale

1 product

Php Point Of Sale

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Phppointofsale Php Point Of Sale	Version 19.0

Related CWEs

CWE-311

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

CWE-916

Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

References (2)

https://www.themissinglink.com.au/security-advisories/cve-2022-40295

Source: vdp@themissinglink.com.au

Third Party Advisory

https://www.themissinglink.com.au/security-advisories/cve-2022-40295

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.