An XSS flaw was reported in FreeIPA 4.x that could allow an administrator with lower privileges (such as sudo rights) to escalate their privileges to full administrator.
Earlier versions of FreeIPA/IPA do not suffer from this flaw.
This issue did not affect the versions of IPA as shipped with Red Hat Enterprise Linux 6 or 7 as they do not include the vulerable Web UI code.
The upstream ticket for this report:
Created freeipa tracking bugs for this issue:
Affects: fedora-all [bug 1165856]