Title: Missing access controls in OpenAsset Digital Asset Management by OpenAsset
Discovery: Jack Misiura on behalf of The Missing Link Security
The web application was found to provide several endpoints which allowed for unauthenticated data retrieval. For example, the following endpoints were found to return CSV lists with no authentication necessary:
The /Stream/ProjectsCSV endpoint allowed for the retrieval of all projects and their related information.
Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)
Fixed in: 12.0.22 (Cloud) 11.4.10 (On-Premise)
OpenAsset would like to thank Jack Misiura for reporting this vulnerability.