Hi, We are using the dogtag PKI tool packaged through IPA on CentOS 6.6, here are the system information : * pki-ca-9.0.3-38.el6_6.noarch * pki-setup-9.0.3-38.el6_6.noarch $ uname -a Linux ipa_server 2.6.32-504.12.2.el6.x86_64 #1 SMP Wed Mar 11 22:03:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux $ cat /etc/redhat-release CentOS release 6.6 (Final) It appears that the administation page is vulnerable to XSS attacks, wether through the SSL administration page, or the non-SSL administration page. Here is the PoC : * http://ipa_server:9180/ca/ee/ca/profileSelect?profileId=plop%3C/script%3E... * https://ipa_server:9444/ca/ee/ca/profileSelect?profileId=plop%3C/script%3... I cannot seem to find any trace of this problem on google, am I missing something ? Is it the same for other people ? Cheers, -- Thibaut Pouzet Lyra Network Ingénieur Systèmes et Réseaux (+33) 5 31 22 40 08 www.lyra-network.com