VYPR

Pki Core

by Pki Core Project

Source repositories

CVEs (13)

  • CVE-2023-4727HigJun 11, 2024
    risk 0.49cvss 7.5epss 0.01

    A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to…

  • CVE-2018-1080HigJul 3, 2018
    risk 0.49cvss 7.5epss 0.02

    Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules (authz.evaluateOrder=allow,deny),…

  • CVE-2015-0234HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.01

    Multiple temporary file creation vulnerabilities in pki-core 10.2.0.

  • CVE-2022-2393Jul 14, 2022
    risk 0.00cvss epss 0.00

    A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain,…

  • CVE-2020-25715May 28, 2021
    risk 0.00cvss epss 0.01

    A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data…

  • CVE-2020-1721Apr 30, 2021
    risk 0.00cvss epss 0.01

    A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10.10.5 where it did not properly sanitize the recovery ID during a key recovery request, enabling a reflected cross-site scripting (XSS) vulnerability. An attacker could trick an authenticated victim…

  • CVE-2021-20179Mar 15, 2021
    risk 0.00cvss epss 0.01

    A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and…

  • CVE-2019-10180Mar 31, 2020
    risk 0.00cvss epss 0.01

    A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the…

  • CVE-2020-1696Mar 20, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in the all pki-core 10.x.x versions, where Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. An attacker with sufficient permissions could…

  • CVE-2019-10179Mar 20, 2020
    risk 0.00cvss epss 0.01

    A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim…

  • CVE-2019-10221Mar 20, 2020
    risk 0.00cvss epss 0.01

    A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user…

  • CVE-2019-10178Mar 18, 2020
    risk 0.00cvss epss 0.01

    It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted…

  • CVE-2019-10146Mar 18, 2020
    risk 0.00cvss epss 0.01

    A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the…