pki-tps is vulnerable to cross-site scripting. A lack of input validation and sanitization allows a remote attacker to inject arbitrary Javascript into a victim’s browser via the PATH_INFO
variable to steal session tokens or perform unwanted actions on behalf of the user.