CVE-2022-30361

Name of the Vulnerable Software and Affected Versions OvalEdge versions 5.2.8.0 and earlier

Description The issue allows for Sensitive Data Exposure through a GET request to the "/user/getUserType" API endpoint, which does not require authentication. This exposes information related to the registered user, including user id, status, email address, role, user type, license type, and personal details such as first name, last name, gender, and user preferences.

Recommendations For OvalEdge versions 5.2.8.0 and earlier, as a temporary workaround, consider restricting access to the "/user/getUserType" API endpoint to minimize the risk of exploitation. Avoid using this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.