It was reported that Certificate System suffers from XSS flaws in the /tus/ and /tus/tus/ URLs, such as: GET /tus/tus/%22%2b%61%6c%65%72%74%28%34%38%32%36%37%29%2b%22 or GET /tus/%22%2b%61%6c%65%72%74%28%36%31%34%35%32%29%2b%22 which will in turn output something like: <!-- var uriBase = "/tus/"+alert(85384)+"; var userid = "admin"; This was reported against Certificate System 8.1 and may also affect Dogtag 9 and 10.
Created pki-tps tracking bugs for this issue Affects: fedora-all [bug 966189] Affects: epel-5 [bug 966190]
This issue has been addressed in following products: Red Hat Certificate System 8 Via RHSA-2013:0856 https://rhn.redhat.com/errata/RHSA-2013-0856.html
pki-tps-9.0.11-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.