CVE-2020-28857

Vulnerability

OpenAsset Digital Asset Management (DAM) versions through 12.0.19 (Cloud) and 11.2.1 (On-Premise) fail to properly sanitize user-supplied input in numerous parameters and endpoints. This allows for stored cross-site scripting (XSS) attacks. Affected input fields include the Project Code regex, User name regex, Password regex, three description fields, First Album Name, Vision Items Per SOAP request, Categories description, keywords (triggered on deletion attempt), editing photographer name, Access token name, and Web share name [2].

Exploitation

A remote attacker with the ability to input data into the listed fields (e.g., through administrative configuration or content editing interfaces) can inject arbitrary JavaScript or HTML. When a user subsequently visits pages that render this stored input, the injected script executes in the victim’s browser. No authentication level for the attacker is explicitly specified, but access to the affected input fields is required [2][3].

Impact

Successful exploitation allows an attacker to perform unauthorized actions within the security context of the victim user who views the affected page. This could include stealing session cookies, modifying page content, or performing other actions on behalf of the victim, effectively bypassing the same-origin policy for the application [2].

Mitigation

OpenAsset released fixes in version 12.0.23 (Cloud) and 11.4.10 (On-Premise) [2]. Users should upgrade to these versions or later. No workarounds are documented in the references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.