Jan Hutar of Red Hat reports:
By altering client side code or with a custom event failure message (via schedule.failSystemAction API call, the Schedule -> Failed Actions -> <action> -> Failed Systems page allows XSS.
Name: Jan Hutar (Red Hat)
This issue has been addressed in the following products:
Red Hat Satellite 5.8
Red Hat Satellite 5.8 ELS
Via RHSA-2017:1558 https://access.redhat.com/errata/RHSA-2017:1558