Title: Cross-site request forgery in OpenAsset Digital Asset Management by OpenAsset
Discovery: Jack Misiura on behalf of The Missing Link Security
The OpenAsset Digital Asset Management application was vulnerable to cross-site request forgery because it did not verify whether a request made to itself was intentionally made by the user. All actions performed by the user's navigating the site, including all administrative user actions were found to be vulnerable.
Successful exploitation would allow attackers to perform any actions on behalf of the current user's security context.
Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)
Fixed in: 12.0.26 (Cloud) 11.4.10 (On-Premise)
OpenAsset would like to thank Jack Misiura for reporting this vulnerability.