Sanket Jagtap of Red Hat reports: If an organization or location is created with a name containing HTML, then the administrator-only Settings page will render the HTML as part of a dropdown menu. This may permit a stored XSS attack if an organization/location with HTML in the name is created, then an administrator attempts to change the default organization/location settings. Upstream bug: http://projects.theforeman.org/issues/15037 Upstream patch: https://github.com/theforeman/foreman/pull/3523
Acknowledgments: Name: Sanket Jagtap (Red Hat)
This issue has been addressed in the following products: Red Hat Satellite 6.3 for RHEL 7 Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336