CVSS 3 Base Score:
Posted On:
Assessed Risk Level:
The Puppet Enterprise Console does not properly validate the string parameter used to set the URL target for the next page transition. This can be leveraged to inject javascript into the output, which will then be executed after the login has completed.Status:
Affected software versions:- Puppet Enterprise 2015.2.0
- Puppet Enterprise 2015.2.1