CVE-2020-28860

Authenticated blind SQL injection in OpenAsset Digital Asset Management by OpenAsset | The Missing Link

Discovered by Jack Misiura on behalf of The Missing Link Security

Vulnerability Details

The OpenAsset Digital Asset Management application was vulnerable to a blind SQL injection, through the /AJAXPage/SearchResults endpoint, via the "currentSearchItems" parameter.

Successful exploitation would allow attackers to retrieve all information contained in the application database.

Affected Versions

Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)

Fixed Versions

Fixed in: 12.0.23 (Cloud) 11.4.10 (On-Premise)

Latest News