Stored cross-site scripting in OpenAsset Digital Asset Management by OpenAsset | The Missing Link

Discovered by Jack Misiura on behalf of The Missing Link Security

Vulnerability Details

Multiple stored cross-site scripting (XSS) vulnerabilities in the OpenAsset Digital Asset Management software allows remote attackers to inject arbitrary JavaScript or HTML to be rendered later by the application via:

  • System preferences
    • Project Code regex
    • User name regex
    • Password regex
    • All three description fields
    • First Album Name
    • Vision Items Per SOAP request
  • Categories description
  • Keywords, triggered on deletion attempt
  • Editing photographer name
  • Access token name
  • Web share name

Successful exploitation of this issue may allow an attacker to perform unauthorised actions in a user’s security context, when the said user visits the affected pages.

Affected Versions

Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)

Fixed Versions

Fixed in: 12.0.23 (Cloud) 11.4.10 (On-Premise)

Latest News