CVE-2020-28859
Description
OpenAsset DAM through 12.0.19 contains reflected XSS via multiple parameters; fixed in 12.0.22 (Cloud) and 11.4.10 (On-Premise).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenAsset DAM through 12.0.19 contains reflected XSS via multiple parameters; fixed in 12.0.22 (Cloud) and 11.4.10 (On-Premise).
Vulnerability
OpenAsset Digital Asset Management (DAM) through version 12.0.19 (Cloud) and 11.2.1 (On-Premise) fails to properly sanitize user-supplied input in several endpoints, leading to reflected cross-site scripting (XSS) vulnerabilities. The affected parameters include the email parameter on the account recovery/password reset page, the id parameter on saved search requests, and both the imageViewId and lpFilterInputId parameters on search result requests [2].
Exploitation
An attacker can exploit these vulnerabilities by crafting a malicious URL containing injected JavaScript or HTML. No authentication is required; the attacker only needs to trick a logged-in user into clicking the crafted link. The XSS payload executes in the context of the victim's browser, allowing the attacker to perform actions as the user [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript or HTML in the security context of the affected user. This can lead to session theft, unauthorized actions on behalf of the user, or defacement of the application interface [2].
Mitigation
Users should upgrade to the fixed versions: 12.0.22 (Cloud) or 11.4.10 (On-Premise) [2]. There are no workarounds mentioned; upgrading is the recommended action.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- OpenAsset/Digital Asset Managementdescription
- Range: <=12.0.19
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- openasset.commitrex_refsource_MISC
- www.themissinglink.com.au/security-advisories-cve-2020-28859mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.