CVE-2019-10180

CVSS V2 Low 3.5 CVSS V3 Medium 4.8
Description
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
Overview
  • CVE ID
  • CVE-2019-10180
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2020-03-31T17:15:25
  • Last Modified Date
  • 2023-02-12T23:33:22
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:dogtagpki:dogtagpki:*:*:*:*:*:*:*:* 1 OR 10.0 10.8.3
cpe:2.3:a:redhat:certificate_system:10.0:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:S/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • SINGLE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 3.5
  • Severity
  • LOW
  • Exploitability Score
  • 6.8
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • HIGH
  • User Interaction
  • REQUIRED
  • Scope
  • CHANGED
  • Confidentiality Impact
  • LOW
  • Availability Impact
  • NONE
  • Base Score
  • 4.8
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 1.7
  • Impact Score
  • 2.7
History
Created Old Value New Value Data Type Notes
2022-05-10 16:45:37 Added to TrackCVE
2022-12-04 13:44:08 2020-03-31T17:15Z 2020-03-31T17:15:25 CVE Published Date updated
2022-12-04 13:44:08 2020-04-02T13:14:44 CVE Modified Date updated
2022-12-04 13:44:08 Analyzed Vulnerability Status updated
2023-02-02 22:10:37 2023-02-02T21:18:30 CVE Modified Date updated
2023-02-02 22:10:37 Analyzed Modified Vulnerability Status updated
2023-02-02 22:10:38 A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code. It was found that the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code. Description updated
2023-02-02 22:10:40 References updated
2023-02-13 01:10:22 2023-02-12T23:33:22 CVE Modified Date updated
2023-02-13 01:10:23 It was found that the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code. A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code. Description updated