CVE-2019-10180

NameCVE-2019-10180
DescriptionA vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1014855

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dogtag-pki (PTS)bullseye10.10.2-3vulnerable
sid11.0.3-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dogtag-pkisource(unstable)(unfixed)1014855

Notes

[bullseye] - dogtag-pki <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1721137

Search for package or bug name: Reporting problems