We're here to help We're here to help

Security Advisory: SignServer - Cross-site scripting issue in Admin Web

Created: Updated:

March 6, 2022

Dear customers and partners,

PrimeKey has released an update to address a vulnerability in SignServer found as a part of our internal testing.

Issue summary

During testing with a new combination of test data and request sequence in the SignServer Admin Web interface, a cross-site scripting issue was found. By setting up a new worker where JavaScript code is used in the worker name followed by a Generate CSR request, the script in the worker name will be executed in the generate CSR step.

Severity

Low. Only an authorized SignServer administrator could perform an attack. Any update of worker names configured in SignServer will be logged in the audit log.

Who is potentially affected?

Customers with systems set up with many users with administrative access and/or a compromised administrative account

Who is not affected?

Customers confident that any user with administrative access to SignServer is fully reliable

Mitigations

This issue has been fixed in SignServer 5.8.1 and similar issues in other parts of Admin Web are also fixed. Customers are advised to upgrade as soon as possible.

You can review your audit log for worker name updates to check if any suspicious worker name updates have been performed.

Additional information

Should you have any additional questions, please reach out to support@keyfactor.com.