Octech Oempro 4.7 through 4.11 allow XSS by an authenticated user. The parameter CampaignName in Campaign.Create is vulnerable.

CVE: CVE-2020-9460 
CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Command:Campaign.Create
Request parameter:CampaignName
Version: Oempro v4.7 <= v4.11
Researcher: Guilherme Rubert
Payload: "><marquee/onstart=alert("XSS")>

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9460
https://nvd.nist.gov/vuln/detail/CVE-2020-9460
https://github.com/g-rubert/CVE-2020-9460
https://www.octeth.com/
Proof of concept
Cross-site Scripting
CVE: CVE-2020-9461
CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Description:
Octech Oempro 4.7 through 4.11 allow stored XSS by an authenticated user.
The FolderName parameter of the Media.CreateFolder command is vulnerable.

Command:Media.CreateFolder
Request parameter:FolderName
Version: Oempro v4.7 <= v4.11
Researcher: Guilherme Rubert
Payload: "><script>confirm(document.cookie)</script>

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9461
https://nvd.nist.gov/vuln/detail/CVE-2020-9461
https://www.octeth.com/
Proof of concept
Cross-site Scripting