Title: Stored cross-site scripting (XSS) Product: OpenAsset Digital Asset Management by OpenAsset Vendor Homepage: https://www.openasset.com/ Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise) Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise) CVE Number: CVE-2020-28857 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com.au Timeline: 2020-11-14 Disclosed to Vendor 2020-12-04 Vendor releases final patches 2020-12-10 Publication 1. Vulnerability Description The OpenAsset Digital Asset Management web application allowed for stored cross-site scripting attacks against various parameters and endpoints. Vulnerable parts of the web application include: * System Preferences * Project Code regex field * User name regex field * Password regex field * All three description fields * First Album Name field * Visit Items Per SOAP request field * Categories description * Keywords, triggered on deletion attempts * Editing photographer name * Access token name * Web share name 2. PoC For system preferences fields, the following payloads can be used: " autofocus onfocus="alert('Stored XSS');" abc=" "> For categories description: Category Name Goes Here For keywords: Delete Me Photographer name: John Smith Access token name: TokenName"> Web share name: Share 3. Solution The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it. 4. Advisory URL https://www.themissinglink.com.au/security-advisories -------- Title: Reflected cross-site scripting (XSS) Product: OpenAsset Digital Asset Management by OpenAsset Vendor Homepage: https://www.openasset.com/ Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise) Fixed Version: 12.0.22 (Cloud) 11.4.10 (On-premise) CVE Number: CVE-2020-28859 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com.au Timeline: 2020-11-14 Disclosed to Vendor 2020-12-04 Vendor releases final patches 2020-12-10 Publication 1. Vulnerability Description Multiple reflected cross-site scripting (XSS) vulnerabilities in the OpenAsset Digital Asset Management software allows remote attackers to inject arbitrary JavaScript or HTML via: * Account recovery/password reset page through the email parameter * Saved search request, through the id parameter * Search result request, through both the imageViewId and lpFilterInputId parameters 2. PoC Account recovery: https://example.com/Page/StartAccountRecovery?ok=1 &email=test%40test "');}}}]});alert(123); Search result request: https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript >alert("more+xss+here")%3b 3. Solution The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it. 4. Advisory URL https://www.themissinglink.com.au/security-advisories