Name: Pritam Singh (Red Hat)
Created pki-core tracking bugs for this issue:
Affects: fedora-all [bug 1797988]
Do you know if this was reported in the upstream issue tracker and there is a fix?
Upstream is aware. There is currently no fix. I will check for upstream issue tracker.
However, the security consequences are very limited.
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker.
At the moment, the only concerns are defacing and minor information disclosure (user information from the victim, such as name, email and roles, which the attacker can probably have access to via other means given the privilege requirements for storing the XSS in the first place).
If/when there is a fix upstream, it will be posted on this bug tracker.
I hope this helps!