Skip to main content

Open Source Point Of Sale CVE-2022-34578

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2022-07-28 cve@mitre.org
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 28, 2022 - 20:15 nvd
HIGH 7.2

DescriptionNVD

Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.

AnalysisAI

Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page. Affected products include: Opensourcepos Open Source Point Of Sale.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2026-26746 HIGH POC
8.8 Feb 20

Open Source Point Of Sale versions up to 3.4.1 is affected by unrestricted upload of file with dangerous type (CVSS 8.8)

CVE-2025-70093 HIGH POC
7.4 Feb 13

An issue in OpenSourcePOS v3.4.1 allows attackers to execute arbitrary code via returning a crafted AJAX response. [CVSS

CVE-2025-70095 MEDIUM POC
6.5 Feb 13

A cross-site scripting (XSS) vulnerability in the item management and sales invoice function of OpenSourcePOS v3.4.1 all

CVE-2025-70091 MEDIUM POC
6.5 Feb 13

A cross-site scripting (XSS) vulnerability in the Customers function of OpenSourcePOS v3.4.1 allows attackers to execute

CVE-2025-70094 MEDIUM POC
6.5 Feb 13

A cross-site scripting (XSS) vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attacker

CVE-2025-70092 MEDIUM POC
5.5 Feb 12

A cross-site scripting (XSS) vulnerability in the Item Kits function of OpenSourcePOS v3.4.1 allows attackers to execute

CVE-2026-26745 MEDIUM POC
5.3 Feb 20

OpenSourcePOS 3.4.1 allows authenticated attackers to execute arbitrary SQL commands through unsanitized concatenation o

CVE-2025-68658 MEDIUM
4.3 Jan 13

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter fram

CVE-2015-0299 MEDIUM
4.0 Sep 29

Multiple cross-site scripting (XSS) vulnerabilities in Open Source Point of Sale 2.3.1 allow remote authenticated users

CVE-2025-63800 HIGH POC
7.5 Nov 18

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty s

Share

CVE-2022-34578 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy