Users can create malicious YAML content (for example, a host parameter containg HTML content). When viewed with the foreman UI, the YAML preview feature will execute the HTML.
This issue was discovered by Dominic Cleal of Red Hat.
Upstream fix (in 1.4.5 and 1.5.1):
his issue has been addressed in the following products:
Red Hat Satellite 6
Via the GA release of Satellite 6.