{"containers": {"cna": {"affected": [{"product": "pki-core", "vendor": "The pki-core Project", "versions": [{"status": "affected", "version": "all versions"}]}], "descriptions": [{"lang": "en", "value": "It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the \"Activity\" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser. All versions of pki-core are believed to be vulnerable."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-18T14:57:08", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10178"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:10.069Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10178"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10178", "datePublished": "2020-03-18T14:57:08", "dateReserved": "2019-03-27T00:00:00", "dateUpdated": "2024-08-04T22:10:10.069Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dogtagpki:dogtagpki:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B2BB2FD-923D-4EEA-950D-0FCC22BB2486", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the \"Activity\" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser. All versions of pki-core are believed to be vulnerable."}, {"lang": "es", "value": "Se detect\u00f3 que el Token Processing Service (TPS) no sanea apropiadamente los ID de Token de la p\u00e1gina \"Activity\", permitiendo una vulnerabilidad de tipo Cross Site Scripting (XSS) Almacenado. Un atacante no autenticado podr\u00eda enga\u00f1ar a una v\u00edctima autenticada para que cree una actividad especialmente dise\u00f1ada, que ejecutar\u00eda c\u00f3digo JavaScript arbitrario cuando es visualizada en un navegador. Se cree que todas las versiones de pki-core son vulnerables."}], "id": "CVE-2019-10178", "lastModified": "2023-02-12T23:33:19.687", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2020-03-18T16:15:11.427", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10178"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Pritam Singh (Red Hat).", "affected_release": [{"advisory": "RHSA-2021:0948", "cpe": "cpe:/a:redhat:certificate_system_eus:9.4::el7", "package": "idm-console-framework-0:1.1.17-4.el7dsrv", "product_name": "Red Hat Certificate System 9.4 EUS", "release_date": "2021-03-23T00:00:00Z"}, {"advisory": "RHSA-2021:0948", "cpe": "cpe:/a:redhat:certificate_system_eus:9.4::el7", "package": "pki-console-0:10.5.9-2.el7pki", "product_name": "Red Hat Certificate System 9.4 EUS", "release_date": "2021-03-23T00:00:00Z"}, {"advisory": "RHSA-2021:0948", "cpe": "cpe:/a:redhat:certificate_system_eus:9.4::el7", "package": "pki-core-0:10.5.9-15.el7pki", "product_name": "Red Hat Certificate System 9.4 EUS", "release_date": "2021-03-23T00:00:00Z"}, {"advisory": "RHSA-2021:0948", "cpe": "cpe:/a:redhat:certificate_system_eus:9.4::el7", "package": "redhat-pki-theme-0:10.5.9-5.el7pki", "product_name": "Red Hat Certificate System 9.4 EUS", "release_date": "2021-03-23T00:00:00Z"}, {"advisory": "RHSA-2021:0947", "cpe": "cpe:/a:redhat:certificate_system:9.7::el7", "package": "pki-core-0:10.5.18-12.el7pki", "product_name": "Red Hat Certificate System 9.7", "release_date": "2021-03-22T00:00:00Z"}, {"advisory": "RHSA-2021:0947", "cpe": "cpe:/a:redhat:certificate_system:9.7::el7", "package": "redhat-pki-theme-0:10.5.18-5.el7pki", "product_name": "Red Hat Certificate System 9.7", "release_date": "2021-03-22T00:00:00Z"}], "bugzilla": {"description": "pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab", "id": "1719042", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1719042"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the \"Activity\" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser. All versions of pki-core are believed to be vulnerable.", "It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the \"Activity\" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser."], "name": "CVE-2019-10178", "package_state": [{"cpe": "cpe:/a:redhat:certificate_system:10", "fix_state": "Affected", "package_name": "pki-core", "product_name": "Red Hat Certificate System 10"}], "public_date": "2020-02-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10178\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10178"], "threat_severity": "Moderate"}