Bug 1780707 (CVE-2020-1696) - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation
Summary: CVE-2020-1696 pki-core: Stored XSS in TPS profile creation
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1696
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1791099 1791100 1797988 1931717
Blocks: 1780710
TreeView+ depends on / blocked
 
Reported: 2019-12-06 17:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-03-23 17:35 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the pki-core's Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated victim into executing a specially crafted Javascript code.
Clone Of:
Environment:
Last Closed: 2021-03-23 17:35:23 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0947 0 None None None 2021-03-22 08:08:50 UTC
Red Hat Product Errata RHSA-2021:0948 0 None None None 2021-03-22 09:03:53 UTC

Description Guilherme de Almeida Suckevicz 2019-12-06 17:02:14 UTC
A flaw was found in Profile ID field while adding new profile at TPS's web page, when adding new profile (Profile ID) input field not getting filtered or sanitize the specially crafted javascript like <script>alert(document.domain)</script> and being stored/triggered everytime with domain name in response. This user input is not being sanitized and therefore it is vulnerable to a Stored XSS.

Comment 1 Cedric Buissart 2020-01-14 20:13:34 UTC
Acknowledgments:

Name: Pritam Singh (Red Hat)

Comment 6 Cedric Buissart 2020-02-04 11:25:32 UTC
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1797988]

Comment 7 Salvatore Bonaccorso 2020-02-07 06:30:14 UTC
Do you know if this was reported in the upstream issue tracker and there is a fix?

Comment 8 Cedric Buissart 2020-02-07 14:38:00 UTC
Upstream is aware. There is currently no fix. I will check for upstream issue tracker.

However, the security consequences are very limited. 
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. 
At the moment, the only concerns are defacing and minor information disclosure (user information from the victim, such as name, email and roles, which the attacker can probably have access to via other means given the privilege requirements for storing the XSS in the first place).

If/when there is a fix upstream, it will be posted on this bug tracker.

I hope this helps!

Comment 12 errata-xmlrpc 2021-03-22 08:08:50 UTC
This issue has been addressed in the following products:

  Red Hat Certificate System 9.7

Via RHSA-2021:0947 https://access.redhat.com/errata/RHSA-2021:0947

Comment 13 errata-xmlrpc 2021-03-22 09:03:51 UTC
This issue has been addressed in the following products:

  Red Hat Certificate System 9.4 EUS

Via RHSA-2021:0948 https://access.redhat.com/errata/RHSA-2021:0948

Comment 14 Product Security DevOps Team 2021-03-23 17:35:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1696


Note You need to log in before you can comment on or make changes to this bug.