CVE-2019-10146 in pki-core
Summary
by MITRE
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/12/2025
The vulnerability CVE-2019-10146 represents a reflected cross site scripting flaw within the pki-core 10.x.x server module, specifically affecting the CA Agent Service component. This issue arises from inadequate input validation and sanitization mechanisms in the certificate request page functionality. The vulnerability impacts all versions within the 10.x.x release series of the pki-core server software, making it a widespread concern for organizations utilizing this particular implementation. The flaw allows attackers to inject malicious script code through specially crafted input parameters that are then reflected back to victim users' browsers without proper sanitization.
The technical exploitation of this vulnerability occurs when an attacker crafts malicious input containing script code and submits it through the certificate request page interface. The CA Agent Service fails to properly sanitize or escape this input before processing or displaying it, creating a reflected XSS condition. When a victim user accesses the affected page with the malicious payload, the script code executes within their browser context, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This vulnerability operates at the application layer and requires user interaction to be exploited effectively.
The operational impact of CVE-2019-10146 extends beyond simple script execution, as it can enable attackers to compromise user sessions and potentially escalate privileges within the PKI infrastructure. Organizations relying on pki-core 10.x.x versions face risks of unauthorized certificate issuance, data exfiltration, and disruption of public key infrastructure services. The vulnerability aligns with CWE-79 which specifically addresses cross site scripting flaws, and maps to ATT&CK technique T1566.001 for initial access through spearphishing attachments or links. Attackers could leverage this vulnerability to gain unauthorized access to certificate management systems, potentially compromising the entire PKI ecosystem.
Mitigation strategies for CVE-2019-10146 require immediate patching of affected pki-core server installations to versions that properly sanitize input parameters. Organizations should implement comprehensive input validation and output encoding mechanisms to prevent script injection attacks. Network segmentation and web application firewalls can provide additional protective layers against exploitation attempts. Regular security assessments and code reviews should focus on input handling and sanitization practices. The vulnerability demonstrates the critical importance of proper parameter validation in web applications, particularly those handling sensitive cryptographic operations within PKI environments. Organizations must also establish robust incident response procedures to address potential exploitation attempts and monitor for suspicious activity in certificate management systems.