CVE-2019-10180 in Dogtagpki and Red Hat Products
Published on March 31, 2020

A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.

NVD

Vulnerability Analysis

CVE-2019-10180 is exploitable with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

HIGH

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2019-10180 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2019-10180

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-10180 are published in these products:

Dogtagpki

Red Hat Certificate System

Affected Versions

[UNKNOWN] pki-core Version all pki-core 10.x.x versions is affected by CVE-2019-10180

Exploit Probability

EPSS

0.83%

Percentile

74.14%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.