Description of problem: There is possible XSS when altering user details and going somewhere where you are choosing user Version-Release number of selected component (if applicable): Satellite-5.7.0-RHEL6-re20150108.2 How reproducible: always Steps to Reproduce: 1. Using API set first and second name of some user to some HTML 2. Go to Channels -> <some_channel> -> Managers 3. Also try to go to Channels -> Manage Software channels -> <some_channel> -> Managers 4. Also try Systems -> System Groups -> <some_system_group> -> Admins Actual results: HTML is not escaped correctly in steps "2." and "3." and "4." Expected results: HTML is escaped correctly Additional info: Discovered while working on bug 1156299.
spacewalk git dd418384171473c3e31386a1b4792f8c555dc744
Fixed one more XSS: Admin -> Users spacewalk git f3792c79c1c251a49cc4e382be8591636326a794
*** Bug 1314906 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-0590.html