A cross-site scripting (XSS) flaw was found in the way the web interface of Red Hat Network Satellite / Spacewalk performed sanitization of note's subject and note's content values, for a note being added after system.addNote() XML-RPC request. A remote authenticated Red Hat Network Satellite / Spacewalk user (having systems registered to particular Red Hat Network Satellite / Spacewalk instance) could use this flaw to execute arbitrary HTML or web script, via specially-crafted XML-RPC request, in the context of the session of Red Hat Network Satellite / Spacewalk administrator, if they visited the page, created as a result of that XML-RPC call.