A vulnerability was found in foreman. When creating an organization or location in Foreman, if the name contains HTML then the second step of the wizard (/organizations/id/step2) will render the HTML. This occurs in the alertbox on the page. This may permit a stored XSS attack if an organization/location with HTML in the name is created, then a user is linked directly to this URL. Upstream bug: http://projects.theforeman.org/issues/17195
Acknowledgments: Name: Sanket Jagtap (Red Hat)