foreman is vulnerable to cross-site scripting. A remote authenticated attacker is able to inject arbitrary web script or HTML via the network interface device identifier in the host interface form.
projects.theforeman.org/issues/16022
www.securityfocus.com/bid/92431
access.redhat.com/errata/RHBA-2016:1885
access.redhat.com/security/cve/CVE-2016-6320
bugzilla.redhat.com/show_bug.cgi?id=1117753
bugzilla.redhat.com/show_bug.cgi?id=1161643
bugzilla.redhat.com/show_bug.cgi?id=1185838
bugzilla.redhat.com/show_bug.cgi?id=1188796
bugzilla.redhat.com/show_bug.cgi?id=1231369
bugzilla.redhat.com/show_bug.cgi?id=1275183
bugzilla.redhat.com/show_bug.cgi?id=1281687
bugzilla.redhat.com/show_bug.cgi?id=1316703
bugzilla.redhat.com/show_bug.cgi?id=1318538
bugzilla.redhat.com/show_bug.cgi?id=1325989
bugzilla.redhat.com/show_bug.cgi?id=1327292
bugzilla.redhat.com/show_bug.cgi?id=1331660
bugzilla.redhat.com/show_bug.cgi?id=1332596
bugzilla.redhat.com/show_bug.cgi?id=1332625
bugzilla.redhat.com/show_bug.cgi?id=1334650
bugzilla.redhat.com/show_bug.cgi?id=1336007
bugzilla.redhat.com/show_bug.cgi?id=1336365
bugzilla.redhat.com/show_bug.cgi?id=1336716
bugzilla.redhat.com/show_bug.cgi?id=1361309
bugzilla.redhat.com/show_bug.cgi?id=1362194
bugzilla.redhat.com/show_bug.cgi?id=1365299
bugzilla.redhat.com/show_bug.cgi?id=1365785
bugzilla.redhat.com/show_bug.cgi?id=1366327
bugzilla.redhat.com/show_bug.cgi?id=1370224
bugzilla.redhat.com/show_bug.cgi?id=1372436
bugzilla.redhat.com/show_bug.cgi?id=1372475
bugzilla.redhat.com/show_bug.cgi?id=1372482
github.com/theforeman/foreman/pull/3714/commits/850c38451c7bbde75521b796d16aca26e4d240a0
theforeman.org/security.html#2016-6320