Bug 1780707 (CVE-2020-1696) - CVE-2020-1696 pki-core: Stored XSS in TPS profile creation
Summary: CVE-2020-1696 pki-core: Stored XSS in TPS profile creation
Status: NEW
Alias: CVE-2020-1696
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1791099 1797988 1791100
Blocks: 1780710
TreeView+ depends on / blocked
Reported: 2019-12-06 17:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-02-11 21:24 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the pki-core's Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated victim into executing a specially crafted Javascript code.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-12-06 17:02:14 UTC
A flaw was found in Profile ID field while adding new profile at TPS's web page, when adding new profile (Profile ID) input field not getting filtered or sanitize the specially crafted javascript like <script>alert(document.domain)</script> and being stored/triggered everytime with domain name in response. This user input is not being sanitized and therefore it is vulnerable to a Stored XSS.

Comment 1 Cedric Buissart 2020-01-14 20:13:34 UTC

Name: Pritam Singh (Red Hat)

Comment 6 Cedric Buissart 2020-02-04 11:25:32 UTC
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1797988]

Comment 7 Salvatore Bonaccorso 2020-02-07 06:30:14 UTC
Do you know if this was reported in the upstream issue tracker and there is a fix?

Comment 8 Cedric Buissart 2020-02-07 14:38:00 UTC
Upstream is aware. There is currently no fix. I will check for upstream issue tracker.

However, the security consequences are very limited. 
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. 
At the moment, the only concerns are defacing and minor information disclosure (user information from the victim, such as name, email and roles, which the attacker can probably have access to via other means given the privilege requirements for storing the XSS in the first place).

If/when there is a fix upstream, it will be posted on this bug tracker.

I hope this helps!

Note You need to log in before you can comment on or make changes to this bug.