Title: Authenticated blind SQL injection in OpenAsset Digital Asset Management by OpenAsset
Discovery: Jack Misiura on behalf of The Missing Link Security
The OpenAsset Digital Asset Management application was vulnerable to a blind SQL injection, through the /AJAXPage/SearchResults endpoint, via the "currentSearchItems" parameter.
Successful exploitation would allow attackers to retrieve all information contained in the application database.
Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)
Fixed in: 12.0.23 (Cloud) 11.4.10 (On-Premise)
OpenAsset would like to thank Jack Misiura for reporting this vulnerability.