Jan Hutař of Red Hat reports: When I create environment with HTML (like '<script>alert("hello")</script>') in name is not escaped properly on some pages when printing it and so might mean XSS attack possibility.
This was actually fixed prior to GA: Was reported on: Satellite-6.0.3-RHEL-6-20140313.0 GA release: Satellite-6.0.4-RHEL-6-20140908.0 So this only affected a beta version of Satellite 6. Closing this as CURRENTRELEASE.