CVE-2019-10179 – pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab
https://notcve.org/view.php?id=CVE-2019-10179
A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code. Se detectó una vulnerabilidad en todas las versiones de pki-core 10.x.x, donde el Key Recovery Authority (KRA) Agent Service no saneó apropiadamente la página de búsqueda de petición de recuperación, permitiendo una vulnerabilidad de tipo Cross Site Scripting (XSS) Reflejado. Un atacante podría engañar a una víctima autenticada para que ejecute un código Javascript especialmente diseñado. It was found that the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10179 https://access.redhat.com/security/cve/CVE-2019-10179 https://bugzilla.redhat.com/show_bug.cgi?id=1695901 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-10221 – pki-core: Reflected XSS in getcookies?url= endpoint in CA
https://notcve.org/view.php?id=CVE-2019-10221
A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser. Se detectó una vulnerabilidad de tipo Cross Site Scripting Reflejado en todas las versiones de pki-core 10.x.x, en el módulo pki-ca del servidor pki-core. Este fallo es debido a la falta de saneamiento de los parámetros GET URL. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10221 https://access.redhat.com/security/cve/CVE-2019-10221 https://bugzilla.redhat.com/show_bug.cgi?id=1732565 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •