CVE-2020-28858
Description
Cross-site request forgery in OpenAsset DAM through 12.0.19 allows attackers to perform actions on behalf of authenticated users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site request forgery in OpenAsset DAM through 12.0.19 allows attackers to perform actions on behalf of authenticated users.
Vulnerability
OpenAsset Digital Asset Management (DAM) through version 12.0.19 (Cloud) and 11.2.1 (On-Premise) does not verify that requests are intentionally made by the user, enabling cross-site request forgery (CSRF) attacks on all user functions [2].
Exploitation
An attacker can craft a malicious link or page that, when visited by an authenticated user, performs arbitrary actions on the application with the victim's privileges. No special network position or authentication is required beyond the victim being logged in [2].
Impact
Successful exploitation allows an attacker to perform any action on behalf of the current user's security context, including administrative actions, leading to full compromise of user data and potential privilege escalation [2].
Mitigation
The vulnerability is fixed in versions 12.0.26 (Cloud) and 11.4.10 (On-Premise). Users should upgrade to these versions or apply vendor-supplied patches [2]. No workarounds are documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- OpenAsset/Digital Asset Managementdescription
- Range: <=12.0.19
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- openasset.commitrex_refsource_MISC
- packetstormsecurity.com/files/160458/OpenAsset-Digital-Asset-Management-Cross-Site-Request-Forgery.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/Dec/19mitremailing-listx_refsource_FULLDISC
- www.themissinglink.com.au/security-advisories-cve-2020-28858mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.