Improper Input Validation

Summary

A vulnerability exists in Rancher, in the "login" component, where the "errorMsg" parameter can be tampered with to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message. This vulnerability affects github.com/rancher/rancher package versions 2.0.7-rc1 through 2.2.4-rc6, and 2.3.0-alpha1 through 2.3.0-alpha3