OpenAsset Digital Asset Management SQL Injection

OpenAsset Digital Asset Management suffers from an authenticated blind remote SQL injection vulnerability.

MD5 | 104a24c90358f7b176c601947844d418

Title: Authenticated blind SQL injection (SQLi)

Product: OpenAsset Digital Asset Management by OpenAsset

Vendor Homepage:

Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)

Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise)

CVE Number: CVE-2020-28860

Author: Jack Misiura from The Missing Link



2020-11-14 Disclosed to Vendor

2020-12-04 Vendor releases final patches

2020-12-10 Publication

1. Vulnerability Description

The OpenAsset Digital Asset Management application was vulnerable to a blind SQL injection, through the /AJAXPage/SearchResults endpoint, via the "currentSearchItems" parameter.

2. PoC

The following requests will result in > 10 second delay in the response, due to the introduction of the SLEEP(10) command into the SQL query:

3. Solution

The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.

4. Advisory URL

Related Posts