A vulnerability was found in pki-tps. An stored XSS when adding a new token in TPS's web page Activity tab due to an improper sanitization of the token id input.
Acknowledgments: Name: Pritam Singh (Red Hat)
Created pki-core tracking bugs for this issue: Affects: fedora-all [bug 1798388]
Do you know if this was reported upstream and there is an upstream fix?
In reply to comment #10: > Do you know if this was reported upstream and there is an upstream fix? Correcting the need info. Regards Yogendra.
Upstream is aware. There is currently no fix. However, the security consequences are very limited. e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. At the moment, the only concerns are defacing and minor information disclosure (user information from the victim, such as name, email and roles, which the attacker can probably have access to via other means given the privilege requirements for storing the XSS in the first place). If/when there is a fix upstream, it will be posted on this bug tracker. I hope this helps!
This issue has been addressed in the following products: Red Hat Certificate System 9.7 Via RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0947
This issue has been addressed in the following products: Red Hat Certificate System 9.4 EUS Via RHSA-2021:0948 https://access.redhat.com/errata/RHSA-2021:0948
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10178
Hi (In reply to Cedric Buissart from comment #12) > Upstream is aware. There is currently no fix. > However, the security consequences are very limited. > e.g. : Thanks to the webUI using client side TLS authentication, stealing a > cookie will not be of much use to the attacker. > At the moment, the only concerns are defacing and minor information > disclosure (user information from the victim, such as name, email and roles, > which the attacker can probably have access to via other means given the > privilege requirements for storing the XSS in the first place). > > If/when there is a fix upstream, it will be posted on this bug tracker. > > I hope this helps! As this recieved as well a RHSA/errata, do you know more on the upstream status for this issue? Thanks in advance and regards, Salvatore
Hello Salvatore, Apologies for the delayed answer. Thanks for pointing this out! The 3 XSS that affected TPS (CVE-2020-1696, CVE-2019-10180 and CVE-2019-10178) have been fixed via this commit: https://github.com/dogtagpki/pki/commit/1dbb07f8e41b4809b0f41a7643c37301fcf712d8