OpenAsset Digital Asset Management SQL Injection

Credit: Jack Misiura
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title: Authenticated blind SQL injection (SQLi) Product: OpenAsset Digital Asset Management by OpenAsset Vendor Homepage: Vulnerable Version: 12.0.19 (Cloud) 11.2.1 (On-premise) Fixed Version: 12.0.23 (Cloud) 11.4.10 (On-premise) CVE Number: CVE-2020-28860 Author: Jack Misiura from The Missing Link Website: Timeline: 2020-11-14 Disclosed to Vendor 2020-12-04 Vendor releases final patches 2020-12-10 Publication 1. Vulnerability Description The OpenAsset Digital Asset Management application was vulnerable to a blind SQL injection, through the /AJAXPage/SearchResults endpoint, via the "currentSearchItems" parameter. 2. PoC The following requests will result in > 10 second delay in the response, due to the introduction of the SLEEP(10) command into the SQL query: 3. Solution The vendor provides an updated version (11.4.10) which should be installed immediately. If using the cloud version, the vendor has already updated it. 4. Advisory URL

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top