Описание
A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.
A flaw was found in pki-core. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.
Отчет
Red Hat Enterprise Linux 8.3 (pki-core 10.9.4) contains mitigations that prevents the vulnerability to be exploited. Red Hat Enterprise Linux version 8 prior to 8.3 are vulnerable to this version
Меры по смягчению последствий
Because the cross-site scripting (XSS) attack requires the victim to have their RHCS certificate installed in their web browser to be successful, it is recommended that web browser not hold the keys and that the user use the command line interface (CLI) instead.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Certificate System 10 | pki-core | Not affected | ||
| Red Hat Enterprise Linux 6 | pki-core | Out of support scope | ||
| Red Hat Enterprise Linux 7 | pki-core | Fixed | RHSA-2021:0851 | 16.03.2021 |
| Red Hat Enterprise Linux 7.6 Extended Update Support | pki-core | Fixed | RHSA-2021:0819 | 15.03.2021 |
| Red Hat Enterprise Linux 7.7 Extended Update Support | pki-core | Fixed | RHSA-2021:0975 | 23.03.2021 |
| Red Hat Enterprise Linux 8 | pki-core | Fixed | RHSA-2020:4847 | 04.11.2020 |
| Red Hat Enterprise Linux 8 | pki-deps | Fixed | RHSA-2020:4847 | 04.11.2020 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | pki-core | Fixed | RHSA-2021:1263 | 20.04.2021 |
Показывать по
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.
A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.
A flaw was found in pki-core 10.9.0. A specially crafted POST request ...
A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.
ELSA-2021-0851: pki-core security and bug fix update (IMPORTANT)
5.9 Medium
CVSS3