A flaw was found in Profile ID field while adding new profile at TPS's web page, when adding new profile (Profile ID) input field not getting filtered or sanitize the specially crafted javascript like <script>alert(document.domain)</script> and being stored/triggered everytime with domain name in response. This user input is not being sanitized and therefore it is vulnerable to a Stored XSS.
Acknowledgments: Name: Pritam Singh (Red Hat)
Created pki-core tracking bugs for this issue: Affects: fedora-all [bug 1797988]
Do you know if this was reported in the upstream issue tracker and there is a fix?
Upstream is aware. There is currently no fix. I will check for upstream issue tracker. However, the security consequences are very limited. e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. At the moment, the only concerns are defacing and minor information disclosure (user information from the victim, such as name, email and roles, which the attacker can probably have access to via other means given the privilege requirements for storing the XSS in the first place). If/when there is a fix upstream, it will be posted on this bug tracker. I hope this helps!
This issue has been addressed in the following products: Red Hat Certificate System 9.7 Via RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0947
This issue has been addressed in the following products: Red Hat Certificate System 9.4 EUS Via RHSA-2021:0948 https://access.redhat.com/errata/RHSA-2021:0948
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1696
Hi (In reply to Cedric Buissart from comment #8) > Upstream is aware. There is currently no fix. I will check for upstream > issue tracker. > > However, the security consequences are very limited. > e.g. : Thanks to the webUI using client side TLS authentication, stealing a > cookie will not be of much use to the attacker. > At the moment, the only concerns are defacing and minor information > disclosure (user information from the victim, such as name, email and roles, > which the attacker can probably have access to via other means given the > privilege requirements for storing the XSS in the first place). > > If/when there is a fix upstream, it will be posted on this bug tracker. > > I hope this helps! I see there where RHSA's for it. Following up on some older CVEs noticed that this one though does not reference an upstream issue and fix. Can you help identify the fix to associate it with the CVE accordingly? Regards, Salvatore
Hello Salvatore, Apologies for the delayed answer. Thanks for pointing this out! The 3 XSS that affected TPS (CVE-2020-1696, CVE-2019-10180 and CVE-2019-10178) have been fixed via this commit: https://github.com/dogtagpki/pki/commit/1dbb07f8e41b4809b0f41a7643c37301fcf712d8