⚠️OvalEdge 5.2.8.0 Vulnerability Disclosures

Summary of Findings

• Sensitive Data Exposure (unauthenticated)

  • CVE-2022-30361

• Sensitive Data Exposure (authenticated)

  • CVE-2022-30354

  • CVE-2022-30359

• Account Takeover (authenticated)

  • CVE-2022-30358

  • CVE-2022-30357

• Account Takeover (authenticated SAML/SSO)

  • CVE-2022-30355

• Privilege Escalation (authenticated)

  • CVE-2022-30356

• Authenticated Stored XSS (AKA Persistent or Type II)

  • CVE-2022-30360

Timeline

• Reported: May 24, 2022

• Patched: Nov 15th, 2022

• Published: Nov 15th, 2022

  • https://support.ovaledge.com/release-6.0 (See 10. Security Improvements)