CVE-2020-28860
Description
Authenticated blind SQL injection in OpenAsset DAM through 12.0.19 allows attackers to retrieve database contents via the SearchResults endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated blind SQL injection in OpenAsset DAM through 12.0.19 allows attackers to retrieve database contents via the SearchResults endpoint.
Vulnerability
OpenAsset Digital Asset Management (DAM) versions 12.0.19 (Cloud) and 11.2.1 (On-Premise) are vulnerable to a blind SQL injection in the /AJAXPage/SearchResults endpoint. The application fails to sanitize user-supplied input passed via the currentSearchItems parameter, allowing an authenticated attacker to inject arbitrary SQL queries [2].
Exploitation
An attacker must have valid authentication credentials to the OpenAsset DAM application. By crafting a malicious payload in the currentSearchItems parameter of a request to /AJAXPage/SearchResults, the attacker can perform blind SQL injection. The injection is blind, meaning the attacker must infer database contents through boolean-based or time-based techniques [2].
Impact
Successful exploitation enables the attacker to retrieve all information stored in the application database, including potentially sensitive data such as user credentials, asset metadata, and configuration details. The attack does not require special privileges beyond standard user authentication [2].
Mitigation
The vendor released fixes in version 12.0.23 (Cloud) and 11.4.10 (On-Premise). Users should upgrade to these or later versions. No workarounds are documented in the available references [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- OpenAsset/Digital Asset Managementdescription
- Range: <=12.0.19
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- openasset.commitrex_refsource_MISC
- packetstormsecurity.com/files/160459/OpenAsset-Digital-Asset-Management-SQL-Injection.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/Dec/21mitremailing-listx_refsource_FULLDISC
- www.themissinglink.com.au/security-advisories-cve-2020-28860mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.