{"containers": {"cna": {"affected": [{"product": "pki-core", "vendor": "n/a", "versions": [{"status": "affected", "version": "pki-core 10.9.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-28T10:20:26", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1891016"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-25715", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "pki-core", "version": {"version_data": [{"version_value": "pki-core 10.9.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1891016", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1891016"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:40:36.827Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1891016"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-25715", "datePublished": "2021-05-28T10:20:26", "dateReserved": "2020-09-16T00:00:00", "dateUpdated": "2024-08-04T15:40:36.827Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dogtagpki:dogtagpki:10.9.0:-:*:*:*:*:*:*", "matchCriteriaId": "64ACF6C9-6E28-44A8-8597-E58A83C8B8E7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en pki-core versi\u00f3n 10.9.0. Puede ser usado una petici\u00f3n POST especialmente dise\u00f1ada para reflejar un ataque de tipo cross-site scripting (XSS) basado en DOM para inyectar c\u00f3digo en el formulario de consulta de b\u00fasqueda que puede ejecutarse autom\u00e1ticamente. La mayor amenaza de esta vulnerabilidad es la integridad de los datos"}], "id": "CVE-2020-25715", "lastModified": "2021-06-08T02:10:20.387", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-28T11:15:07.640", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1891016"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0851", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "pki-core-0:10.5.18-12.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-03-16T00:00:00Z"}, {"advisory": "RHSA-2021:0819", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "pki-core-0:10.5.9-15.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2021-03-15T00:00:00Z"}, {"advisory": "RHSA-2021:0975", "cpe": "cpe:/o:redhat:rhel_eus:7.7", "package": "pki-core-0:10.5.16-7.el7_7", "product_name": "Red Hat Enterprise Linux 7.7 Extended Update Support", "release_date": "2021-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:4847", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "pki-core:10.6-8030020200911215836.5ff1562f", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHSA-2020:4847", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "pki-deps:10.6-8030020200527165326.30b713e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}, {"advisory": "RHSA-2021:1263", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "pki-core:10.6-8020020210330222148.bbc64e6e", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-04-20T00:00:00Z"}], "bugzilla": {"description": "pki-core: XSS in the certificate search results", "id": "1891016", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1891016"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.", "A flaw was found in pki-core. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity."], "mitigation": {"lang": "en:us", "value": "Because the cross-site scripting (XSS) attack requires the victim to have their RHCS certificate installed in their web browser to be successful, it is recommended that web browser not hold the keys and that the user use the command line interface (CLI) instead."}, "name": "CVE-2020-25715", "package_state": [{"cpe": "cpe:/a:redhat:certificate_system:10", "fix_state": "Not affected", "package_name": "pki-core", "product_name": "Red Hat Certificate System 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "pki-core", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2021-03-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-25715\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-25715"], "statement": "Red Hat Enterprise Linux 8.3 (pki-core 10.9.4) contains mitigations that prevents the vulnerability to be exploited. Red Hat Enterprise Linux version 8 prior to 8.3 are vulnerable to this version", "threat_severity": "Moderate", "upstream_fix": "pki-core 10.9.0"}