The password field accepts HTML content. When two-factor authentication is enabled, the password field is reflected back to the user when they are prompted for the "one-time-password" and it is rendered as HTML. This vector can be used for a "drive-by" attack. By having a victim visit an attacker controlled page while logged in, the attacker can force them to issue a second login request containing a prepared password. When that password--containing a malicious payload--is reflected back to them as HTML, the attacker can gain control of the victim's session.
Upstream Issue: https://issues.jboss.org/browse/AEROGEAR-1514
Statement: Not Vulnerable. Aerogear is not provided by any Red Hat product.