プラットフォーム
other
コンポーネント
token-processing-service
修正版
10.0.1
CVE-2019-10180 identifies a stored Cross-Site Scripting (XSS) vulnerability within the Token Processing Service (TPS) of PKI Core. This flaw allows attackers to inject malicious JavaScript code if they can modify token parameters. The vulnerability impacts all PKI Core versions 10.x.x, from 10.0.0 onwards. A patch is available in version 10.0.1.
Successful exploitation of CVE-2019-10180 could allow an attacker to execute arbitrary JavaScript code within the context of an authenticated user's session. This could lead to account takeover, data theft, or defacement of the PKI Core interface. The attacker would need to first modify the parameters associated with a token, which could be achieved through various means depending on the system's configuration and access controls. The potential blast radius is limited to users who interact with tokens managed by the vulnerable PKI Core instance.
CVE-2019-10180 was publicly disclosed on March 31, 2020. There is no indication of active exploitation or KEV listing at the time of this writing. No public proof-of-concept exploits are readily available, suggesting a relatively low exploitation probability. The CVSS score of 2.4 reflects the low severity and limited attack vector.
Organizations utilizing PKI Core versions 10.0.0 through 10.x.x are at risk, particularly those with systems where token parameters are accessible for modification by untrusted users. Shared hosting environments or deployments with overly permissive access controls could exacerbate the risk.
disclosure
エクスプロイト状況
EPSS
0.83% (74% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2019-10180 is to upgrade to PKI Core version 10.0.1 or later, which includes the necessary fixes. If immediate upgrading is not possible, consider implementing strict input validation and output encoding on all parameters handled by the Token Processing Service. Review token parameter modification permissions and restrict access to only authorized users. While a WAF might offer some protection, it's not a substitute for patching the underlying vulnerability.
pki-core を 10.x.x 以降のバージョンにアップデートし、Cross-Site Scripting (XSS) の脆弱性が修正されていることを確認してください。 リリースノートまたは変更ログを参照して、修正されたバージョンを特定してください。 修正されたバージョンが利用できない場合は、Token Processing Service (TPS) を無効化またはアクセスを制限することを検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2019-10180 is a stored XSS vulnerability in PKI Core's Token Processing Service, allowing attackers to inject JavaScript via token parameters.
If you are using PKI Core versions 10.0.0 through 10.x.x, you are potentially affected by this vulnerability.
Upgrade to PKI Core version 10.0.1 or later to resolve the vulnerability. Implement input validation as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2019-10180.
Refer to the PKI Core security advisories on the official PKI Core website for detailed information and updates.