LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

pki-core: cross-site scripting

Package(s):pki-core CVE #(s):CVE-2012-4543
Created:December 17, 2012 Updated:March 11, 2013
Description: From the Red Hat bugzilla:

Multiple cross-site scripting (XSS) flaws were found in the way:

1) 'displayCRL' script of Certificate System sanitized content of 'pageStart' and 'pageSize' variables provided in the query string,

2) 'profileProcess' script of Certificate System sanitized content of 'nonce' variable provided in the query string.

A remote attacker could provide a specially-crafted web page that, when visited by an unsuspecting Certificate System user would lead to arbitrary HTML or web script execution in the context of Certificate System user session.

Alerts:
Fedora FEDORA-2012-20220 2012-12-15
Fedora FEDORA-2012-20243 2012-12-21
Red Hat RHSA-2013:0511-02 2013-02-21
Oracle ELSA-2013-0511 2013-02-25
Scientific Linux SL-pki--20130228 2013-02-28
CentOS CESA-2013:0511 2013-03-09
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds