A vulnerability, reflected cross site scripting in getcookies?url= endpoint in CA was reported in pki-core
Name: Pritam Singh (Red Hat)
This vulnerability is rated Low : the web UI uses client TLS authentication, therefore stealing session cookies will not be sufficient for unauthorized access. The vulnerable page itself does not contain secrets.
Created pki-core tracking bugs for this issue:
Affects: fedora-all [bug 1798039]
Do you know if this was reported in the upstream issue tracker and there is a fix?
Upstream is aware. There is currently no fix. I will check for upstream issue tracker.
However, the security consequences are very limited.
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker.
At the moment, the only concern is about defacing.
If/when there is a fix upstream, it will be posted on this bug tracker.
I hope this helps!