A flaw was found in foreman before versions 1.18.3, 1.19.1, 1.20.0. An stored XSS in the entity creation field.
Name: Sanket Jagtap (Red Hat Pune India)
*** Bug 1645208 has been marked as a duplicate of this bug. ***
Note job invocation uses the same code to generate a toast message when successfully creating the job, hence that's another vector for exploiting this issue. That's the reason for Bug #1645208 being marked as duplicate as this one.
This issue has been addressed in the following products:
Red Hat Satellite 6.5 for RHEL 7
Via RHSA-2019:1222 https://access.redhat.com/errata/RHSA-2019:1222