A vulnerability, reflected cross site scripting in getcookies?url= endpoint in CA was reported in pki-core
Name: Pritam Singh (Red Hat)
This vulnerability is rated Low : the web UI uses client TLS authentication, therefore stealing session cookies will not be sufficient for unauthorized access. The vulnerable page itself does not contain secrets.
Created pki-core tracking bugs for this issue:
Affects: fedora-all [bug 1798039]
Do you know if this was reported in the upstream issue tracker and there is a fix?
Upstream is aware. There is currently no fix. I will check for upstream issue tracker.
However, the security consequences are very limited.
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker.
At the moment, the only concern is about defacing.
If/when there is a fix upstream, it will be posted on this bug tracker.
I hope this helps!
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847
*** Bug 1902050 has been marked as a duplicate of this bug. ***