CVE-2020-1721 — Cross-site Scripting in Project Pki-core

CWE-79 — Cross-site Scripting9 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

0.8%

top 25.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pki-core Project Pki-core Dogtagpki

Timeline

PublishedApr 30

Latest updateMay 24

Description

A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10.10.5 where it did not properly sanitize the recovery ID during a key recovery request, enabling a reflected cross-site scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5pki-core_project/pki-corepki-core 10.10.5

▶NVDdogtagpki/dogtagpki10.10.5

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-j9fq-77vj-2ww7: A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10↗2022-05-24

▶

CVEList

CVE-2020-1721: A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10↗2021-04-30

▶

OSV

CVE-2020-1721: A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10↗2021-04-30

▶

📋Vendor Advisories

Red Hat

pki-core: KRA vulnerable to reflected XSS via the getPk12 page↗2020-02-03

▶

Debian

CVE-2020-1721: dogtag-pki - A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 1...↗2020

▶

💬Community

Bugzilla

CVE-2020-27770 ImageMagick: unsigned offset overflowed at MagickCore/string.c↗2020-11-04

▶

Bugzilla

CVE-2020-1721 pki-core: KRA vulnerable to reflected XSS via the getPk12 page [fedora-all]↗2020-02-04

▶

Bugzilla

CVE-2020-1721 pki-core: KRA vulnerable to reflected XSS via the getPk12 page↗2019-11-27

▶