A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can inject a stored cross-site scripting (XSS) payload into cluster objects (such as ClusterVersion spec.channel) that executes in the browser of any user who opens the generated HTML report.
Credits
This issue was discovered by Jon Weiser (Red Hat), Oleg Sushchenko (Red Hat), and Raul Bringas (Red Hat).
