Skip to main content

SignServer Security Advisory: Cross-site Scripting Issue in Admin Web - News / PrimeKey Announcements - PrimeKey Support

Mar 16 2022

SignServer Security Advisory: Cross-site Scripting Issue in Admin Web

Authors list

Dear Customers, and Partners,

PrimeKey has released an update to address a vulnerability in SignServer found as a part of our internal testing.

Issue Summary

During testing with a new combination of test data and request sequence in the SignServer Admin Web interface, a cross-site scripting issue was found. By setting up a new worker where JavaScript code is used in the worker name followed by a Generate CSR request, the script in the worker name will be executed in the generate CSR step.

Severity

Low – Only an authorized SignServer administrator could perform an attack. Any update of worker names configured in SignServer will be logged in the audit log.

Who is potentially affected

Customers with systems set up with many users with administrative access and/or a compromised administrative account

Who is not affected

Customers confident that any user with administrative access to SignServer is fully reliable.

Mitigations

This issue has been fixed in SignServer 5.8.1 and similar issues in other parts of Admin Web are also fixed. Customers are advised to upgrade as soon as possible.

You can review your audit log for Worker name updates to check if any suspicious worker name updates have been performed.

Contact us:


support@primekey.com


Global support number: +1 251 317 6984