CVE-2020-25715: XSS
First published: Fri Oct 23 2020(Updated: )
A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/pki-core | <0:10.5.18-12.el7_9 | 0:10.5.18-12.el7_9 |
| redhat/pki-core | <0:10.5.9-15.el7_6 | 0:10.5.9-15.el7_6 |
| redhat/pki-core | <0:10.5.16-7.el7_7 | 0:10.5.16-7.el7_7 |
| Dogtagpki Dogtagpki | =10.9.0 | |
| redhat/pki-core | <10.9.0 | 10.9.0 |
Remedy
Because the cross-site scripting (XSS) attack requires the victim to have their RHCS certificate installed in their web browser to be successful, it is recommended that web browser not hold the keys and that the user use the command line interface (CLI) instead.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1891016
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1934142
- https://github.com/dogtagpki/pki/commit/13f4c7fe7d71d42b46b25f3e8472ef7f35da5dd6
- https://access.redhat.com/errata/RHSA-2021:0819
- https://access.redhat.com/security/cve/cve-2020-25715
- https://access.redhat.com/errata/RHSA-2021:0851
- https://access.redhat.com/errata/RHSA-2021:0975
- https://access.redhat.com/errata/RHSA-2021:1263
- https://www.cve.org/CVERecord?id=CVE-2020-25715 https://nvd.nist.gov/vuln/detail/CVE-2020-25715
- https://access.redhat.com/errata/RHSA-2020:4847
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID of this flaw in pki-core?
The vulnerability ID is CVE-2020-25715.
What is the severity level of CVE-2020-25715?
The severity level of CVE-2020-25715 is medium.
How does the vulnerability CVE-2020-25715 affect pki-core?
The vulnerability allows a specially crafted POST request to reflect a DOM-based cross-site scripting (XSS) attack, which can inject code into the search query form and potentially compromise data integrity.
Which versions of pki-core are affected by CVE-2020-25715?
pki-core version 10.9.0 is affected by CVE-2020-25715.
Where can I find more information about CVE-2020-25715?
You can find more information about CVE-2020-25715 at the following references: - [CVE-2020-25715 on CVE.org](https://www.cve.org/CVERecord?id=CVE-2020-25715) - [CVE-2020-25715 on NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-25715) - [Bugzilla Red Hat Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1891016) - [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2021:0851)
- collector/redhat-cve
- collector/nvd-index
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/type
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25715
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/dogtagpki
- canonical/dogtagpki dogtagpki
- version/dogtagpki dogtagpki/10.9.0