A flaw was found in foreman before versions 1.18.3, 1.19.1, 1.20.0. An stored XSS in the entity creation field. References: https://projects.theforeman.org/issues/24807 Upstream Patches: https://github.com/theforeman/foreman/pull/6060 https://github.com/theforeman/foreman/pull/6041
Acknowledgments: Name: Sanket Jagtap (Red Hat Pune India)
*** Bug 1645208 has been marked as a duplicate of this bug. ***
Note job invocation uses the same code to generate a toast message when successfully creating the job, hence that's another vector for exploiting this issue. That's the reason for Bug #1645208 being marked as duplicate as this one.
This issue has been addressed in the following products: Red Hat Satellite 6.5 for RHEL 7 Via RHSA-2019:1222 https://access.redhat.com/errata/RHSA-2019:1222