Users can create malicious YAML content (for example, a host parameter containg HTML content). When viewed with the foreman UI, the YAML preview feature will execute the HTML.
Acknowledgements: This issue was discovered by Dominic Cleal of Red Hat.
Upstream fix (in 1.4.5 and 1.5.1): http://projects.theforeman.org/projects/foreman/repository/revisions/d40f5409ac36c1eab7b8a5ccf3d91cc6db90ce70 External References: http://theforeman.org/security.html#2014-3492
his issue has been addressed in the following products: Red Hat Satellite 6 Via the GA release of Satellite 6.