A stored XSS vulnerability has been found in the super user function. Attackers are able to use the name field of service key to inject scripts and make it run when admin users try to change the name.
Name: Jeremy Choi (Red Hat)
This bug was addressed with both closing of the client side XSS issue AND server side validation of the service key name in a change that was released this past summer
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):