{
  "threat_severity" : "Moderate",
  "public_date" : "2021-03-02T00:00:00Z",
  "bugzilla" : {
    "description" : "pki-core: XSS in the certificate search results",
    "id" : "1891016",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1891016"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "A flaw was found in pki-core 10.9.0. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.", "A flaw was found in pki-core. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity." ],
  "statement" : "Red Hat Enterprise Linux 8.3 (pki-core 10.9.4) contains mitigations that prevents the vulnerability to be exploited. Red Hat Enterprise Linux version 8 prior to 8.3 are vulnerable to this version",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2021-03-16T00:00:00Z",
    "advisory" : "RHSA-2021:0851",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "pki-core-0:10.5.18-12.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support",
    "release_date" : "2021-03-15T00:00:00Z",
    "advisory" : "RHSA-2021:0819",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.6",
    "package" : "pki-core-0:10.5.9-15.el7_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Extended Update Support",
    "release_date" : "2021-03-23T00:00:00Z",
    "advisory" : "RHSA-2021:0975",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.7",
    "package" : "pki-core-0:10.5.16-7.el7_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4847",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "pki-core:10.6-8030020200911215836.5ff1562f"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4847",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "pki-deps:10.6-8030020200527165326.30b713e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2021-04-20T00:00:00Z",
    "advisory" : "RHSA-2021:1263",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.2",
    "package" : "pki-core:10.6-8020020210330222148.bbc64e6e"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Certificate System 10",
    "fix_state" : "Not affected",
    "package_name" : "pki-core",
    "cpe" : "cpe:/a:redhat:certificate_system:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "pki-core",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-25715\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-25715" ],
  "name" : "CVE-2020-25715",
  "mitigation" : {
    "value" : "Because the cross-site scripting (XSS) attack requires the victim to have their RHCS certificate installed in their web browser to be successful, it is recommended that web browser not hold the keys and that the user use the command line interface (CLI) instead.",
    "lang" : "en:us"
  },
  "csaw" : false
}