Bug 1780707 (CVE-2020-1696)

Summary: CVE-2020-1696 pki-core: Stored XSS in TPS profile creation
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alee, carnil, cbuissar, cfu, dsirrine, edewata, fvhxi0yv, jmagne, mharmsen, prisingh, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the pki-core's Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated victim into executing a specially crafted Javascript code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-23 17:35:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1791099, 1791100, 1797988, 1931717    
Bug Blocks: 1780710    

Description Guilherme de Almeida Suckevicz 2019-12-06 17:02:14 UTC 
A flaw was found in Profile ID field while adding new profile at TPS's web page, when adding new profile (Profile ID) input field not getting filtered or sanitize the specially crafted javascript like <script>alert(document.domain)</script> and being stored/triggered everytime with domain name in response. This user input is not being sanitized and therefore it is vulnerable to a Stored XSS.
Comment 1 Cedric Buissart 2020-01-14 20:13:34 UTC 
Acknowledgments:

Name: Pritam Singh (Red Hat)
Comment 6 Cedric Buissart 2020-02-04 11:25:32 UTC 
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1797988]
Comment 7 Salvatore Bonaccorso 2020-02-07 06:30:14 UTC 
Do you know if this was reported in the upstream issue tracker and there is a fix?
Comment 8 Cedric Buissart 2020-02-07 14:38:00 UTC 
Upstream is aware. There is currently no fix. I will check for upstream issue tracker.

However, the security consequences are very limited. 
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. 
At the moment, the only concerns are defacing and minor information disclosure (user information from the victim, such as name, email and roles, which the attacker can probably have access to via other means given the privilege requirements for storing the XSS in the first place).

If/when there is a fix upstream, it will be posted on this bug tracker.

I hope this helps!
Comment 12 errata-xmlrpc 2021-03-22 08:08:50 UTC 
This issue has been addressed in the following products:

  Red Hat Certificate System 9.7

Via RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0947
Comment 13 errata-xmlrpc 2021-03-22 09:03:51 UTC 
This issue has been addressed in the following products:

  Red Hat Certificate System 9.4 EUS

Via RHSA-2021:0948 https://access.redhat.com/errata/RHSA-2021:0948
Comment 14 Product Security DevOps Team 2021-03-23 17:35:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1696
Comment 15 Salvatore Bonaccorso 2023-03-07 19:30:02 UTC 
Hi

(In reply to Cedric Buissart from comment #8)
> Upstream is aware. There is currently no fix. I will check for upstream
> issue tracker.
> 
> However, the security consequences are very limited. 
> e.g. : Thanks to the webUI using client side TLS authentication, stealing a
> cookie will not be of much use to the attacker. 
> At the moment, the only concerns are defacing and minor information
> disclosure (user information from the victim, such as name, email and roles,
> which the attacker can probably have access to via other means given the
> privilege requirements for storing the XSS in the first place).
> 
> If/when there is a fix upstream, it will be posted on this bug tracker.
> 
> I hope this helps!

I see there where RHSA's for it. Following up on some older CVEs noticed
that this one though does not reference an upstream issue and fix. Can
you help identify the fix to associate it with the CVE accordingly?

Regards,
Salvatore
Comment 16 Cedric Buissart 2023-03-21 13:10:24 UTC 
Hello Salvatore,

Apologies for the delayed answer.

Thanks for pointing this out!

The 3 XSS that affected TPS (CVE-2020-1696, CVE-2019-10180 and CVE-2019-10178) have been fixed via this commit:
https://github.com/dogtagpki/pki/commit/1dbb07f8e41b4809b0f41a7643c37301fcf712d8