Sanket Jagtap of Red Hat reports:
If an organization or location is created with a name containing HTML,
then the administrator-only Settings page will render the HTML as part
of a dropdown menu.
This may permit a stored XSS attack if an organization/location with
HTML in the name is created, then an administrator attempts to change
the default organization/location settings.
Name: Sanket Jagtap (Red Hat)
This issue has been addressed in the following products:
Red Hat Satellite 6.3 for RHEL 7
Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336