An XSS flaw was reported in FreeIPA 4.x that could allow an administrator with lower privileges (such as sudo rights) to escalate their privileges to full administrator. Earlier versions of FreeIPA/IPA do not suffer from this flaw. Statement: This issue did not affect the versions of IPA as shipped with Red Hat Enterprise Linux 6 or 7 as they do not include the vulerable Web UI code.
The upstream ticket for this report: https://fedorahosted.org/freeipa/ticket/4742
Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1165856]