Vulnerability Name:

CVE-2012-4543 (CCN-80578)

Assigned:2012-12-06
Published:2012-12-06
Updated:2013-03-08
Summary:Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Certificate System (RHCS) before 8.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) pageStart or (2) pageSize to the displayCRL script, or (3) nonce variable to the profileProcess script.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2012-4543

Source: REDHAT
Type: Vendor Advisory
RHSA-2012:1550

Source: CCN
Type: RHSA-2013-0511
Moderate: pki-core security, bug fix and enhancement update

Source: REDHAT
Type: UNKNOWN
RHSA-2013:0511

Source: SECUNIA
Type: Vendor Advisory
51482

Source: CCN
Type: OSVDB ID: 88275
Red Hat Certificate System (RHCS) profileProcess nonce Parameter XSS

Source: CCN
Type: OSVDB ID: 88276
Red Hat Certificate System (RHCS) displayCRL Multiple Parameter XSS

Source: CCN
Type: Red Hat Web site
Red Hat Certificate System

Source: BID
Type: UNKNOWN
56843

Source: CCN
Type: BID-56843
Red Hat Certificate System Multiple Cross-Site Scripting and Denial of Service Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1027846

Source: CCN
Type: Red Hat Bugzilla Bug 864397
CVE-2012-4543 Certificate System: Multiple cross-site scripting flaws by displaying CRL or processing profile

Source: MISC
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=864397

Source: XF
Type: UNKNOWN
rhcs-interface-xss(80578)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:certificate_system:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:certificate_system:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:certificate_system:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:certificate_system:8:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:certificate_system:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:certificate_system:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:certificate_system:*:*:*:*:*:*:*:* (Version <= 8.1.1)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:24032
    P
    		ELSA-2013:0511: pki-core security, bug fix and enhancement update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:20538
    P
    		RHSA-2013:0511: pki-core security, bug fix and enhancement update (Moderate)
    2014-02-17
    oval:com.redhat.rhsa:def:20130511
    P
    		RHSA-2013:0511: pki-core security, bug fix and enhancement update (Moderate)
    2013-02-21
    BACK
    redhat certificate system 7.1
    redhat certificate system 7.2
    redhat certificate system 7.3
    redhat certificate system 8
    redhat certificate system 8.0
    redhat certificate system 8.1
    redhat certificate system *