A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:redhat:certificate_system:10.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "10.0"
},
{
"last_affected": "10.0"
}
],
"vendor_product": "redhat:certificate_system",
"source": "CPE_STRING"
}
]
}{
"cpe": "cpe:2.3:a:dogtagpki:dogtagpki:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "10.0"
},
{
"last_affected": "10.8.3"
}
],
"source": "CPE_RANGE"
}