Pki-Core Project Pki-Core vulnerabilities

CVE-2022-2393 [MEDIUM] CWE-285 CVE-2022-2393: A flaw was found in pki-core, which could allow a user to get a certificate for another user identit A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.

CVE-2020-25715 [MEDIUM] CWE-79 CVE-2020-25715: A flaw was found in pki-core 10 A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.

CVE-2020-1721 [MEDIUM] CWE-79 CVE-2020-1721: A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10 A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10.10.5 where it did not properly sanitize the recovery ID during a key recovery request, enabling a reflected cross-site scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.

CVE-2021-20179 [HIGH] CWE-863 CVE-2021-20179: A flaw was found in pki-core A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.

CVE-2015-0234 [HIGH] CWE-20 CVE-2015-0234: Multiple temporary file creation vulnerabilities in pki-core 10.2.0. Multiple temporary file creation vulnerabilities in pki-core 10.2.0.