Bug 1719042 (CVE-2019-10178) - CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab
Summary: CVE-2019-10178 pki-core: stored Cross-site scripting (XSS) in the pki-tps web...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10178
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1725128 1725129 1798388 1931716
Blocks: 1719043
TreeView+ depends on / blocked
 
Reported: 2019-06-10 21:28 UTC by Laura Pardo
Modified: 2023-03-21 13:28 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser.
Clone Of:
Environment:
Last Closed: 2021-03-23 17:35:11 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0947 0 None None None 2021-03-22 08:08:49 UTC
Red Hat Product Errata RHSA-2021:0948 0 None None None 2021-03-22 09:03:52 UTC

Description Laura Pardo 2019-06-10 21:28:15 UTC 
A vulnerability was found in pki-tps. An stored XSS when adding a new token in TPS's web page Activity tab due to an improper sanitization of the token id input.
Comment 1 Laura Pardo 2019-06-11 14:46:41 UTC 
Acknowledgments:

Name: Pritam Singh (Red Hat)
Comment 9 Cedric Buissart 2020-02-05 08:48:13 UTC 
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1798388]
Comment 10 Salvatore Bonaccorso 2020-02-07 06:27:44 UTC 
Do you know if this was reported upstream and there is an upstream fix?
Comment 11 Yogendra Jog 2020-02-07 13:39:28 UTC 
In reply to comment #10:
> Do you know if this was reported upstream and there is an upstream fix?

Correcting the need info.

Regards
Yogendra.
Comment 12 Cedric Buissart 2020-02-07 13:59:27 UTC 
Upstream is aware. There is currently no fix.
However, the security consequences are very limited. 
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. 
At the moment, the only concerns are defacing and minor information disclosure (user information from the victim, such as name, email and roles, which the attacker can probably have access to via other means given the privilege requirements for storing the XSS in the first place).

If/when there is a fix upstream, it will be posted on this bug tracker.

I hope this helps!
Comment 15 errata-xmlrpc 2021-03-22 08:08:50 UTC 
This issue has been addressed in the following products:

  Red Hat Certificate System 9.7

Via RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0947
Comment 16 errata-xmlrpc 2021-03-22 09:03:47 UTC 
This issue has been addressed in the following products:

  Red Hat Certificate System 9.4 EUS

Via RHSA-2021:0948 https://access.redhat.com/errata/RHSA-2021:0948
Comment 17 Product Security DevOps Team 2021-03-23 17:35:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10178
Comment 18 Salvatore Bonaccorso 2023-03-07 19:33:28 UTC 
Hi

(In reply to Cedric Buissart from comment #12)
> Upstream is aware. There is currently no fix.
> However, the security consequences are very limited. 
> e.g. : Thanks to the webUI using client side TLS authentication, stealing a
> cookie will not be of much use to the attacker. 
> At the moment, the only concerns are defacing and minor information
> disclosure (user information from the victim, such as name, email and roles,
> which the attacker can probably have access to via other means given the
> privilege requirements for storing the XSS in the first place).
> 
> If/when there is a fix upstream, it will be posted on this bug tracker.
> 
> I hope this helps!

As this recieved as well a RHSA/errata, do you know more on the upstream
status for this issue? 

Thanks in advance and regards,
Salvatore
Comment 19 Cedric Buissart 2023-03-21 13:27:36 UTC 
Hello Salvatore,

Apologies for the delayed answer.

Thanks for pointing this out!

The 3 XSS that affected TPS (CVE-2020-1696, CVE-2019-10180 and CVE-2019-10178) have been fixed via this commit:
https://github.com/dogtagpki/pki/commit/1dbb07f8e41b4809b0f41a7643c37301fcf712d8
Note You need to log in before you can comment on or make changes to this bug.