Reflected cross-site scripting in OpenAsset Digital Asset Management by OpenAsset | The Missing Link

Discovered by Jack Misiura on behalf of The Missing Link Security

Vulnerability Details

Multiple reflected cross-site scripting (XSS) vulnerabilities in the OpenAsset Digital Asset Management software allows remote attackers to inject arbitrary JavaScript or HTML via:

* Account recovery/password reset page through the email parameter

* Saved search request, through the id parameter

* Search result request, through both the imageViewId and lpFilterInputId parameters

Successful exploitation of this issue may allow an attacker to perform unauthorised actions in the user’s security context.

Affected Versions

Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)

Fixed Versions

Fixed in: 12.0.22 (Cloud) 11.4.10 (On-Premise)

Latest News