CVE-2019-10180 in pki-core
Summary
by MITRE
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/10/2025
The vulnerability identified as CVE-2019-10180 affects the pki-core 10.x.x version family, specifically targeting the Token Processing Service component. This issue represents a critical security flaw that undermines the integrity of token parameter handling within the PKI infrastructure. The vulnerability stems from inadequate input sanitization mechanisms within the TPS subsystem, which processes and stores various token parameters for cryptographic operations. The affected system operates within the broader context of Public Key Infrastructure implementations where token management serves as a fundamental security control for authentication and authorization processes.
The technical flaw manifests as a stored cross site scripting vulnerability that occurs when the Token Processing Service fails to properly sanitize user-supplied parameters before storing them for token operations. This improper sanitization allows malicious inputs to be persistently stored within the system's token parameters, creating a persistent threat vector that remains active until the parameters are explicitly modified or removed. The vulnerability specifically impacts how the system handles parameter validation and input processing, where the sanitization routines are insufficient to prevent malicious script injection attempts. This flaw operates at the application layer and requires authentication to exploit, making it particularly dangerous as it can be leveraged by authenticated attackers with appropriate privileges.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to manipulate token parameters in ways that can compromise the entire PKI ecosystem. When authenticated users interact with affected token parameters, their browsers execute the malicious JavaScript code embedded within the stored parameters, potentially leading to session hijacking, credential theft, or further privilege escalation within the PKI environment. The stored nature of this XSS vulnerability means that the malicious code persists even after the initial injection point, creating a long-term threat that can affect multiple users over extended periods. This vulnerability directly impacts the confidentiality, integrity, and availability of the PKI services by potentially allowing unauthorized access to sensitive cryptographic tokens and their associated operations.
Security mitigations for CVE-2019-10180 should focus on implementing robust input validation and sanitization mechanisms within the Token Processing Service component. Organizations should immediately upgrade to patched versions of pki-core 10.x.x that address the parameter sanitization deficiencies. The implementation of proper content security policies and output encoding for all token parameter handling should be enforced to prevent script execution in user contexts. Additionally, security monitoring should be enhanced to detect unauthorized parameter modifications, and regular security audits should verify that token parameter handling follows secure coding practices. This vulnerability aligns with CWE-79 which addresses cross site scripting flaws, and maps to ATT&CK technique T1059.007 for script injection, highlighting the need for comprehensive defensive measures across multiple security domains including application security, input validation, and user session management.