68 matches found
CVE-2022-30359
OvalEdge 5.2.8.0 and earlier are affected by a Sensitive Data Exposure vulnerability. The issue arises from a GET request to /user/getUserList, with authentication required. The exposure includes data for all registered users (user IDs, status, email addresses, roles, user type, license type) and...
CVE-2022-30356
OvalEdge 5.2.8.0 and earlier are affected by a Privilege Escalation vulnerability. A POST to /user/assignuserrole with userid and role parameters can enable elevation when authenticated with OE_ADMIN privileges. Affected component/versions are specified, with CVSS data indicating multiple impact ...
CVE-2022-30358
CVE-2022-30358 affects OvalEdge 5.2.8.0 and earlier. A vulnerability in the POST /user/updatePassword endpoint (parameters: userId, newPsw) allows account takeover; authentication is required. Connected sources (Red Hat, NVD, CVE listing, CNNVD) corroborate this description. No remediation detail...
CVE-2022-30360
CVE-2022-30360 affects OvalEdge 5.2.8.0 and earlier. The vulnerability is described as multiple Stored XSS (Persistent/Type II) issues that can be triggered via a POST to the endpoint /profile/updateProfile using the slackid or phone parameters; authentication is required. The connected Red Hat/C...
CVE-2022-30361
OvalEdge 5.2.8.0 and earlier is affected by a Sensitive Data Exposure via an unauthenticated GET request to /user/getUserType. The endpoint discloses data tied to the registered user: user ID, status, email, roles, user type, license type, and personal details such as first name, last name, gende...
CVE-2022-30357
OvalEdge 5.2.8.0 and earlier are affected by an Account Takeover vulnerability triggered by a POST to /profile/updateProfile using the userId and email parameters. Authentication is required. The Red Hat/CNNVD/CVE entries repeat this finding; NVD lists CVSS v3.1 scores with high/critical impact (...
CVE-2022-30354
OvalEdge 5.2.8.0 and earlier suffers a Sensitive Data Exposure via a GET to /user/getUserWithTeam, requiring authentication. The vulnerability discloses data associated with all registered user IDs. Affected component/endpoint: /user/getUserWithTeam. Root cause is exposure of user data through an...
CVE-2022-30355
OvalEdge 5.2.8.0 and earlier are affected by an Account Takeover vulnerability. The issue allows exploitation via a POST to /profile/updateProfile using userId and email parameters, with authentication required. Multiple connected sources confirm the affected versions and the vulnerable endpoint....