[Pkg-freeipa-devel] Bug#1014856: dogtag-pki: CVE-2019-10178
Moritz Mühlenhoff
jmm at inutil.org
Wed Jul 13 10:28:05 BST 2022
Source: dogtag-pki
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for dogtag-pki.
CVE-2019-10178[0]:
| It was found that the Token Processing Service (TPS) did not properly
| sanitize the Token IDs from the "Activity" page, enabling a Stored
| Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker
| could trick an authenticated victim into creating a specially crafted
| activity, which would execute arbitrary JavaScript code when viewed in
| a browser. All versions of pki-core are believed to be vulnerable.
This was reported at https://bugzilla.redhat.com/show_bug.cgi?id=1719042
It needs to be checked when/if this was fixed upstream.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10178
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-freeipa-devel
mailing list