CVE-2020-28861

Missing access controls in OpenAsset Digital Asset Management by OpenAsset | The Missing Link

Discovered by Jack Misiura on behalf of The Missing Link Security

Vulnerability Details

The web application was found to provide several endpoints which allowed for unauthenticated data retrieval. For example, the following endpoints were found to return CSV lists with no authentication necessary:

* /Stream/AlbumCSV

* /Stream/KeywordsCSV

* /Stream/ProjectsCSV

* /Stream/ProjectKeywordsCSV

The /Stream/ProjectsCSV endpoint allowed for the retrieval of all projects and their related information.

Affected Versions

Discovered in: 12.0.19 (Cloud) 11.2.1 (On-Premise)

Fixed Versions

Fixed in: 12.0.22 (Cloud) 11.4.10 (On-Premise)

Latest News

Living off the land (LotL) Attacks: How cybercriminals exploit your own tools

Living off the land (LotL) Attacks: AI and Machine Learning as your best defence

You’ve chosen a managed IT service provider – what comes next?

See All News