Multiple cross-site scripting (XSS) flaws were found in the way: 1) 'displayCRL' script of Certificate System sanitized content of 'pageStart' and 'pageSize' variables provided in the query string, 2) 'profileProcess' script of Certificate System sanitized content of 'nonce' variable provided in the query string. A remote attacker could provide a specially-crafted web page that, when visited by an unsuspecting Certificate System user would lead to arbitrary HTML or web script execution in the context of Certificate System user session.
This issue affects the version of the pki-common package, as shipped with Red Hat Certificate System 8.1. -- This issue affects the version of the pki-common package, as shipped with Fedora EPEL 5.
This issue affects the version of the pki-core package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the pki-core package, as shipped with Fedora release of 16 and 17.
The CVE identifier of CVE-2012-4543 has been assigned to this issue.
Created pki-common tracking bugs for this issue Affects: epel-5 [bug 884828]
Created pki-core tracking bugs for this issue Affects: fedora-all [bug 884829]
This issue has been addressed in following products: Red Hat Certificate System 8 Via RHSA-2012:1550 https://rhn.redhat.com/errata/RHSA-2012-1550.html
pki-core-10.0.0-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0511 https://rhn.redhat.com/errata/RHSA-2013-0511.html