CVE-2020-1696: 
Linux Debian vulnerability analysis and mitigation

A flaw was found in all pki-core 10.x.x versions, where Token Processing Service (TPS) did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. This vulnerability was discovered in 2019 and assigned CVE-2020-1696 (NVD).

The vulnerability exists in the Profile ID field while adding new profiles at TPS's web page. The input field does not filter or sanitize specially crafted JavaScript code, which gets stored and triggered every time with the domain name in response. The severity is rated as MEDIUM with a CVSS v3.1 base score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (NVD).

The security consequences are limited due to the webUI using client-side TLS authentication, which means stealing cookies would not be of much use to attackers. The main concerns are website defacing and minor information disclosure, such as user information from the victim including name, email, and roles (Bugzilla).

The vulnerability was fixed in a commit that addressed multiple XSS issues in TPS. The fix was included in Red Hat Certificate System security updates RHSA-2021:0947 and RHSA-2021:0948. Users should update to the patched versions of the affected software (Red Hat).