Bug 1719042 (CVE-2019-10178)
| Summary: | CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alee, carnil, cbuissar, cfu, dsirrine, edewata, gkapoor, jmagne, mharmsen, prisingh, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-23 17:35:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1725128, 1725129, 1798388, 1931716 | ||
| Bug Blocks: | 1719043 | ||
|
Description
Laura Pardo
2019-06-10 21:28:15 UTC
Acknowledgments: Name: Pritam Singh (Red Hat) Created pki-core tracking bugs for this issue: Affects: fedora-all [bug 1798388] Do you know if this was reported upstream and there is an upstream fix? In reply to comment #10: > Do you know if this was reported upstream and there is an upstream fix? Correcting the need info. Regards Yogendra. Upstream is aware. There is currently no fix. However, the security consequences are very limited. e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. At the moment, the only concerns are defacing and minor information disclosure (user information from the victim, such as name, email and roles, which the attacker can probably have access to via other means given the privilege requirements for storing the XSS in the first place). If/when there is a fix upstream, it will be posted on this bug tracker. I hope this helps! This issue has been addressed in the following products: Red Hat Certificate System 9.7 Via RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0947 This issue has been addressed in the following products: Red Hat Certificate System 9.4 EUS Via RHSA-2021:0948 https://access.redhat.com/errata/RHSA-2021:0948 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10178 Hi (In reply to Cedric Buissart from comment #12) > Upstream is aware. There is currently no fix. > However, the security consequences are very limited. > e.g. : Thanks to the webUI using client side TLS authentication, stealing a > cookie will not be of much use to the attacker. > At the moment, the only concerns are defacing and minor information > disclosure (user information from the victim, such as name, email and roles, > which the attacker can probably have access to via other means given the > privilege requirements for storing the XSS in the first place). > > If/when there is a fix upstream, it will be posted on this bug tracker. > > I hope this helps! As this recieved as well a RHSA/errata, do you know more on the upstream status for this issue? Thanks in advance and regards, Salvatore Hello Salvatore, Apologies for the delayed answer. Thanks for pointing this out! The 3 XSS that affected TPS (CVE-2020-1696, CVE-2019-10180 and CVE-2019-10178) have been fixed via this commit: https://github.com/dogtagpki/pki/commit/1dbb07f8e41b4809b0f41a7643c37301fcf712d8 |