CVE-2020-28861

Vulnerability

OpenAsset Digital Asset Management (DAM) versions 12.0.19 (Cloud) and 11.2.1 (On-Premise) and earlier fail to enforce access controls on the /Stream/ProjectsCSV endpoint. This flaw allows any unauthenticated user to retrieve a CSV file containing all projects and their associated metadata, including potentially sensitive information stored in the application [2]. The endpoint is part of a set of unprotected /Stream/ endpoints that also include /Stream/AlbumCSV, /Stream/KeywordsCSV, and /Stream/ProjectKeywordsCSV [2].

Exploitation

An attacker does not require any prior authentication, session token, or special network position beyond access to the web application's URL. By making a simple HTTP GET request to /Stream/ProjectsCSV, the attacker can download the complete project list and related data without any user interaction or privilege escalation [2]. The attack is trivial to execute and does not rely on any race condition or additional vulnerabilities.

Impact

Successful exploitation results in unauthorized disclosure of project information stored in the DAM system. The impact is primarily on confidentiality, as the attacker can read all project records, including potentially confidential business data, without leaving any authenticated trace. There is no direct impact on integrity or availability, but the exposed data could be used for further targeted attacks or competitive intelligence gathering [2].

Mitigation

OpenAsset released fixed versions: 12.0.22 for Cloud customers and 11.4.10 for On-Premise installations [2]. All users should upgrade to these versions or later. There is no known workaround; applying the vendor-supplied patch is the recommended course of action. The issue is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.