A reflected XSS vulnerability exists in authentication flow of OpenShift Container Platform. An attacker could use this flaw to steal authentication data by getting them to click on a malicious link.
Name: Jeremy Choi (Red Hat)
Since the HTTP Response "Content Type" is "text/plain" most browsers won't execute any Javascipt in the response content. However if an attacker can trick a user into loading the response in an iFrame it is possible to exploit this vulnerability. Appropriate Cross Origin Resource (CORS) Allowed Domain configuration in OCP 3 should prevent an attacker from getting any response from a attacker hosted domain. Therefore make sure that corsAllowedDomains is specified correctly in your OCP 3 master-config.yaml. See  for more details on an issue with corsAllowedDomains in OCP 3.