In the OpenShift web console in versions 3.11 and 4.x an attacker can craft a URL in which to inject arbitrary text into error pages. This could be used to convince a user that the injected text is legitimate.
As pointed out by firstname.lastname@example.org, this issue also affects OpenShift 4.x:
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Upstream fix: https://github.com/openshift/origin-web-console/pull/3173