spacewalk-java is vulnerable to cross-site scripting (XSS) attacks. The vulnerability exists as spacewalk-java in Spacewalk and Red Hat Satellite 5.7 allows remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the XMLRPC API, involving user details. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-7811.
rhn.redhat.com/errata/RHSA-2016-0590.html
access.redhat.com/errata/RHSA-2016:0590
access.redhat.com/security/cve/CVE-2015-0284
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1181152
bugzilla.redhat.com/show_bug.cgi?id=1181472
bugzilla.redhat.com/show_bug.cgi?id=1313515
bugzilla.redhat.com/show_bug.cgi?id=1313517
bugzilla.redhat.com/show_bug.cgi?id=1314906
bugzilla.redhat.com/show_bug.cgi?id=1315398
bugzilla.redhat.com/show_bug.cgi?id=1320444
bugzilla.redhat.com/show_bug.cgi?id=1320452
github.com/spacewalkproject/spacewalk/commit/dd418384171473c3e31386a1b4792f8c555dc744
github.com/spacewalkproject/spacewalk/commit/f3792c79c1c251a49cc4e382be8591636326a794
rhn.redhat.com/errata/RHSA-2016-0590.html