RHSA-2021:0948: Red Hat Security Advisory: Red Hat Certificate System security and bug fix update

An update for pki-console, pki-core, and redhat-pki-theme is now available for Red Hat Certificate System 9.4 EUS. Red Hat Certificate System 9.4 EUS is a special channel for the delivery of Red Hat Certificate System updates. Downgrading the installed packages is not supported. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es):

• pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab (CVE-2019-10178)
• pki-core: unsanitized token parameters in TPS resulting in stored XSS (CVE-2019-10180)
• pki-core: Stored XSS in TPS profile creation (CVE-2020-1696) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es):
• Update Batch Update Information to Version 20 [RHCS 9.4.z] (BZ#1931149)
• Not able to launch pkiconsole – RHEL 7.6.z backport request [RHCS 9.4.z] (BZ#1931718) Related CVEs:
• CVE-2019-10178: pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab
• CVE-2019-10180: pki-core: unsanitized token parameters in TPS resulting in stored XSS
• CVE-2020-1696: pki-core: Stored XSS in TPS profile creation