Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-10179

Опубликовано: 03 фев. 2020
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.

It was found that the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.

Отчет

This vulnerability is rated Low : the web UI uses client TLS authentication, therefore stealing session cookies will not be sufficient for unauthorized access. The vulnerable page itself does not contain secrets.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6pki-coreNot affected
Red Hat Enterprise Linux 7pki-coreFixedRHSA-2021:085116.03.2021
Red Hat Enterprise Linux 7.6 Extended Update Supportpki-coreFixedRHSA-2021:081915.03.2021
Red Hat Enterprise Linux 7.7 Extended Update Supportpki-coreFixedRHSA-2021:097523.03.2021
Red Hat Enterprise Linux 8pki-coreFixedRHSA-2020:484704.11.2020
Red Hat Enterprise Linux 8pki-depsFixedRHSA-2020:484704.11.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1695901pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab

EPSS

Процентиль: 69%
0.00616
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-10179

CVSS3: 4.3
ubuntu
около 5 лет назад

A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.

nvd логотип

CVE-2019-10179

CVSS3: 4.3
nvd
около 5 лет назад

A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.

debian логотип

CVE-2019-10179

CVSS3: 4.3
debian
около 5 лет назад

A vulnerability was found in all pki-core 10.x.x versions, where the K ...

github логотип

GHSA-rwmx-694x-q86h

CVSS3: 6.1
github
около 3 лет назад

A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.

oracle-oval логотип

ELSA-2021-0851

oracle-oval
больше 4 лет назад

ELSA-2021-0851: pki-core security and bug fix update (IMPORTANT)

EPSS

Процентиль: 69%
0.00616
Низкий

4.3 Medium

CVSS3