A stored XSS vulnerability was found in smart class parameters and variables that are displayed on the edit pages for hosts and groups. The values for fields can be set by any userwith granted permission to edit those parameters or variables. These fields can store any value which is shown unescaped on the edit pages, leading to a stored XSS vulnerability.
This issue has been addressed in the following products:
Red Hat Satellite 6.1
Via RHSA-2016:0174 https://access.redhat.com/errata/RHSA-2016:0174