Name: Amit Laish (GE Digital, Cyber Security Lab)
HTML encode the user first name, and last name, so when the browser receives it from the server, it is embedded into the HTML page and is not executed.
Make sure to use CSP (Content Security Policy) browser protection mechanism.
Reimplement the realms separation in such a manner that each realm is accessible by different subdomain. By doing so, SOP (Same Origin Policy) browser protection mechanism limits the attacker abilities, for example, the attacker should not be able to read the responses for its malicious requests in XSS scenarios.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):