[Pkg-freeipa-devel] Bug#1014855: dogtag-pki: CVE-2019-10180
Moritz Mühlenhoff
jmm at inutil.org
Wed Jul 13 10:26:23 BST 2022
Source: dogtag-pki
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for dogtag-pki.
CVE-2019-10180[0]:
| A vulnerability was found in all pki-core 10.x.x version, where the
| Token Processing Service (TPS) did not properly sanitize several
| parameters stored for the tokens, possibly resulting in a Stored Cross
| Site Scripting (XSS) vulnerability. An attacker able to modify the
| parameters of any token could use this flaw to trick an authenticated
| user into executing arbitrary JavaScript code.
This was reported at https://bugzilla.redhat.com/show_bug.cgi?id=1721137
Red Hat released an update, but it needs to be checked when/if this
was fixed upstream.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10180
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-freeipa-devel
mailing list