LOWCVE-2019-10180CVSS 2.4

CVE-2019-10180: Stored XSS in PKI Core Token Processing

Platform

other

Component

token-processing-service

Fixed in

10.0.1

AI Confidence: highNVDEPSS 0.8%Reviewed: May 2026

View on NVD

Save

CVE-2019-10180 identifies a stored Cross-Site Scripting (XSS) vulnerability within the Token Processing Service (TPS) of PKI Core. This flaw allows attackers to inject malicious JavaScript code if they can modify token parameters. The vulnerability impacts all PKI Core versions 10.x.x, from 10.0.0 onwards. A patch is available in version 10.0.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2019-10180 could allow an attacker to execute arbitrary JavaScript code within the context of an authenticated user's session. This could lead to account takeover, data theft, or defacement of the PKI Core interface. The attacker would need to first modify the parameters associated with a token, which could be achieved through various means depending on the system's configuration and access controls. The potential blast radius is limited to users who interact with tokens managed by the vulnerable PKI Core instance.

Exploitation Context

CVE-2019-10180 was publicly disclosed on March 31, 2020. There is no indication of active exploitation or KEV listing at the time of this writing. No public proof-of-concept exploits are readily available, suggesting a relatively low exploitation probability. The CVSS score of 2.4 reflects the low severity and limited attack vector.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.83% (74% percentile)

CVSS Vector

Affected Software

Componenttoken-processing-service

Vendor[UNKNOWN]

Affected rangeFixed in

all pki-core 10.x.x versions – all pki-core 10.x.x versions10.0.1

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2019-03-27
Published2020-03-31
Modified2024-08-04
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2019-10180 is to upgrade to PKI Core version 10.0.1 or later, which includes the necessary fixes. If immediate upgrading is not possible, consider implementing strict input validation and output encoding on all parameters handled by the Token Processing Service. Review token parameter modification permissions and restrict access to only authorized users. While a WAF might offer some protection, it's not a substitute for patching the underlying vulnerability.

How to fix

Actualizar pki-core a una versión posterior a la 10.x.x donde se haya corregido la vulnerabilidad de Cross-Site Scripting (XSS). Consultar las notas de la versión o el registro de cambios para identificar la versión corregida. Si no hay una versión corregida disponible, considerar deshabilitar o restringir el acceso al Token Processing Service (TPS) hasta que se publique una actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2019-10180 — Stored XSS in PKI Core?

CVE-2019-10180 is a stored XSS vulnerability in PKI Core's Token Processing Service, allowing attackers to inject JavaScript via token parameters.

Am I affected by CVE-2019-10180 in PKI Core?

If you are using PKI Core versions 10.0.0 through 10.x.x, you are potentially affected by this vulnerability.

How do I fix CVE-2019-10180 in PKI Core?

Upgrade to PKI Core version 10.0.1 or later to resolve the vulnerability. Implement input validation as a temporary workaround.

Is CVE-2019-10180 being actively exploited?

There is currently no evidence of active exploitation of CVE-2019-10180.

Where can I find the official PKI Core advisory for CVE-2019-10180?

Refer to the PKI Core security advisories on the official PKI Core website for detailed information and updates.