A flaw was found in foreman from versions 1.18. A stored cross-site scripting vulnerability due to an improperly escaped HTML code in the breadcrumbs bar. This allows a user with permissions to edit which attribute is used in the breadcrumbs bar to store code that will be executed on the client side. References: https://projects.theforeman.org/issues/25169 Introduced in: https://projects.theforeman.org/issues/22855
Acknowledgments: Name: Sanket Jagtap (Red Hat Pune India)
External References: https://projects.theforeman.org/issues/25169
*** Bug 1645190 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Satellite 6.5 for RHEL 7 Via RHSA-2019:1222 https://access.redhat.com/errata/RHSA-2019:1222