Plateforme
other
Composant
token-processing-service
Corrigé dans
10.0.1
CVE-2019-10180 identifies a stored Cross-Site Scripting (XSS) vulnerability within the Token Processing Service (TPS) of PKI Core. This flaw allows attackers to inject malicious JavaScript code if they can modify token parameters. The vulnerability impacts all PKI Core versions 10.x.x, from 10.0.0 onwards. A patch is available in version 10.0.1.
Successful exploitation of CVE-2019-10180 could allow an attacker to execute arbitrary JavaScript code within the context of an authenticated user's session. This could lead to account takeover, data theft, or defacement of the PKI Core interface. The attacker would need to first modify the parameters associated with a token, which could be achieved through various means depending on the system's configuration and access controls. The potential blast radius is limited to users who interact with tokens managed by the vulnerable PKI Core instance.
CVE-2019-10180 was publicly disclosed on March 31, 2020. There is no indication of active exploitation or KEV listing at the time of this writing. No public proof-of-concept exploits are readily available, suggesting a relatively low exploitation probability. The CVSS score of 2.4 reflects the low severity and limited attack vector.
Organizations utilizing PKI Core versions 10.0.0 through 10.x.x are at risk, particularly those with systems where token parameters are accessible for modification by untrusted users. Shared hosting environments or deployments with overly permissive access controls could exacerbate the risk.
disclosure
Statut de l'Exploit
EPSS
0.83% (percentile 74%)
Vecteur CVSS
The primary mitigation for CVE-2019-10180 is to upgrade to PKI Core version 10.0.1 or later, which includes the necessary fixes. If immediate upgrading is not possible, consider implementing strict input validation and output encoding on all parameters handled by the Token Processing Service. Review token parameter modification permissions and restrict access to only authorized users. While a WAF might offer some protection, it's not a substitute for patching the underlying vulnerability.
Mettre à jour pki-core vers une version ultérieure à la 10.x.x où la vulnérabilité Cross-Site Scripting (XSS) a été corrigée. Consulter les notes de version ou le journal des modifications pour identifier la version corrigée. Si aucune version corrigée n'est disponible, envisager de désactiver ou de restreindre l'accès au Token Processing Service (TPS) jusqu'à ce qu'une mise à jour soit publiée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2019-10180 is a stored XSS vulnerability in PKI Core's Token Processing Service, allowing attackers to inject JavaScript via token parameters.
If you are using PKI Core versions 10.0.0 through 10.x.x, you are potentially affected by this vulnerability.
Upgrade to PKI Core version 10.0.1 or later to resolve the vulnerability. Implement input validation as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2019-10180.
Refer to the PKI Core security advisories on the official PKI Core website for detailed information and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.