RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847)


The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4847 advisory. - jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251) - bootstrap: XSS in the data-target attribute (CVE-2016-10735) - bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040) - bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042) - pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page (CVE-2019-10146) - pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab (CVE-2019-10179) - pki-core: Reflected XSS in getcookies?url= endpoint in CA (CVE-2019-10221) - jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358) - bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) - jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) - jquery: Passing HTML containing elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) - pki: Dogtag's python client does not validate certificates (CVE-2020-15720) - pki-core: KRA vulnerable to reflected XSS via the getPk12 page (CVE-2020-1721) - tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935) - pki-core: XSS in the certificate search results (CVE-2020-25715) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.