Title: Reflected cross-site scripting in OpenAsset Digital Asset Management by OpenAsset
Discovery: Jack Misiura on behalf of The Missing Link Security
* Account recovery/password reset page through the email parameter
* Saved search request, through the id parameter
* Search result request, through both the imageViewId and lpFilterInputId parameters
Successful exploitation of this issue may allow an attacker to perform unauthorised actions in the user’s security context.
Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)
Fixed in: 12.0.22 (Cloud) 11.4.10 (On-Premise)
OpenAsset would like to thank Jack Misiura for reporting this vulnerability.