CVE-2022-30360

Name of the Vulnerable Software and Affected Versions OvalEdge versions 5.2.8.0 and earlier

Description The issue is related to multiple Stored XSS (also known as Persistent or Type II) vulnerabilities. These vulnerabilities can be exploited via a POST request to the "/profile/updateProfile" API endpoint, specifically through the slackid or phone parameters. It is noted that authentication is required to exploit this issue.

Recommendations For OvalEdge versions 5.2.8.0 and earlier, as a temporary workaround, consider disabling the /profile/updateProfile API endpoint or restricting access to the slackid and phone parameters until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.