CVE-2019-10178

2020-03-1814:57:08

CWE-79

redhat

www.cve.org

4.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

35.9%

JSON

It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the “Activity” page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser. All versions of pki-core are believed to be vulnerable.

CNA Affected

[
  {
    "product": "pki-core",
    "vendor": "The pki-core Project",
    "versions": [
      {
        "status": "affected",
        "version": "all versions"
      }
    ]
  }
]