CVE-2020-28858 – CVE-2020-28858 is a Cross-Site Request Forgery ... (How to Fix)

Q: What is the severity of CVE-2020-28858?

CVE-2020-28858 has a CVSS score of 8.8 (HIGH). CVE-2020-28858 is a Cross-Site Request Forgery (CSRF) vulnerability in OpenAsset Digital Asset Management (DAM) that allows attackers to trick authenticated users into performing unintended actions. All user functions are vulnerable, potentially leading to unauthorized data manipulation or account takeover. Any organization using OpenAsset DAM through version 12.0.19 is affected.

📋 TL;DR

CVE-2020-28858 is a Cross-Site Request Forgery (CSRF) vulnerability in OpenAsset Digital Asset Management (DAM) that allows attackers to trick authenticated users into performing unintended actions. All user functions are vulnerable, potentially leading to unauthorized data manipulation or account takeover. Any organization using OpenAsset DAM through version 12.0.19 is affected.

💻 Affected Systems

Products:

OpenAsset Digital Asset Management (DAM)

Versions: through 12.0.19

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with default configuration are vulnerable. Requires user authentication for exploitation.

📦 What is this software?

Digital Asset Management by Openasset

View all CVEs affecting Digital Asset Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers can create admin accounts, delete critical assets, modify user permissions, or exfiltrate sensitive data through authenticated user sessions.

🟠

Likely Case

Unauthorized data manipulation, asset deletion/modification, or privilege escalation through crafted requests that authenticated users unknowingly execute.

🟢

If Mitigated

Limited impact with proper CSRF protections, session management, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user sessions. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.0.20 or later

Vendor Advisory: http://openasset.com

Restart Required: Yes

Instructions:

1. Backup current installation and data. 2. Download latest version from OpenAsset vendor portal. 3. Follow vendor upgrade documentation. 4. Restart application services. 5. Verify CSRF protections are enabled.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all state-changing requests

Requires application code modification - consult OpenAsset documentation

SameSite Cookie Enforcement

all

Configure session cookies with SameSite=Strict attribute

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Implement web application firewall (WAF) with CSRF protection rules
Segment network access to OpenAsset DAM and enforce strict referrer policies

🔍 How to Verify

Check if Vulnerable:

Check OpenAsset DAM version in admin interface or configuration files. Versions 12.0.19 and earlier are vulnerable.

Check Version:

Check admin dashboard or consult OpenAsset documentation for version check procedure

Verify Fix Applied:

Verify version is 12.0.20 or later. Test CSRF protection by attempting to submit forms without valid tokens.

📡 Detection & Monitoring

Log Indicators:

Multiple failed state-changing requests from same IP
Requests missing CSRF tokens
Unusual user activity patterns

Network Indicators:

HTTP POST requests without referrer headers
Requests with crafted parameters targeting user functions

SIEM Query:

source="openasset" AND (http_method="POST" OR http_method="PUT") AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2020-28858

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: December 14, 2020

Last Updated: November 21, 2024

🔗 References

http://openasset.com Product
http://packetstormsecurity.com/files/160458/OpenAsset-Digital-Asset-Management-Cross-Site-Request-Forgery.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Dec/19 Mailing List,Third Party Advisory
https://www.themissinglink.com.au/security-advisories-cve-2020-28858 Third Party Advisory
http://openasset.com Product
http://packetstormsecurity.com/files/160458/OpenAsset-Digital-Asset-Management-Cross-Site-Request-Forgery.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2020/Dec/19 Mailing List,Third Party Advisory
https://www.themissinglink.com.au/security-advisories-cve-2020-28858 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28858, you might also want to check these: