Two endpoints, federation and shovel, do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
Created rabbitmq-server tracking bugs for this issue:
Affects: fedora-all [bug 1783329]
Affects: openstack-rdo [bug 1783328]