A vulnerability was found in pki-tps web UI, in the table showing tokens. Several fields including the User ID and the policy are not sanitized and could be set or modified by an attacker, in order to launch a Stored Cross Site Scripting (XSS) attack. The XSS will be triggered each time the malicious token is shown in the authenticated victim's web browser when navigating to the vulnerable URL.
Acknowledgments: Name: Pritam Singh (Red Hat)
Reducing the severity to Low : the attacker needs to be able to modify the token policies in order to store the javascript code. This requires high privileges.
Created pki-core tracking bugs for this issue: Affects: fedora-all [bug 1798080]
Do you know if this was reported in the upstream issue tracker and there is a fix?
Upstream is aware. There is currently no fix. I will check for upstream issue tracker. However, the security consequences are very limited. e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. At the moment, the only concerns are defacing. If/when there is a fix upstream, it will be posted on this bug tracker. I hope this helps!
This issue has been addressed in the following products: Red Hat Certificate System 9.7 Via RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0947
This issue has been addressed in the following products: Red Hat Certificate System 9.4 EUS Via RHSA-2021:0948 https://access.redhat.com/errata/RHSA-2021:0948
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10180
Hi (In reply to Cedric Buissart from comment #10) > Upstream is aware. There is currently no fix. I will check for upstream > issue tracker. > > However, the security consequences are very limited. > e.g. : Thanks to the webUI using client side TLS authentication, stealing a > cookie will not be of much use to the attacker. > At the moment, the only concerns are defacing. > > If/when there is a fix upstream, it will be posted on this bug tracker. > > I hope this helps! Do you have a reference for the upstream issue and fix? Noticed that RHSA were posted for it, so assume it was fixed in meanwhile, do you know more? Thanks already!
Hello Salvatore, Apologies for the delayed answer. Thanks for pointing this out! The 3 XSS that affected TPS (CVE-2020-1696, CVE-2019-10180 and CVE-2019-10178) have been fixed via this commit: https://github.com/dogtagpki/pki/commit/1dbb07f8e41b4809b0f41a7643c37301fcf712d8