As noted in this report to oss-security , a flaw exists in the apt-cacher-ng server, and an inside attacker (on the LAN with knowledge of the server's address), could trick a user into visiting, or redirect them to, a manipulated URL that would cause the cross-site scripting attack.
A proposed fix has been made .
Created apt-cacher-ng tracking bugs for this issue:
Affects: fedora-20 [bug 1111808]
MITRE assigned CVE-2014-4510 to this issue:
apt-cacher-ng-0.7.26-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.