A bug in Puppet Dashboard versions 1.0 - 1.2.4 allows for Cross Site Scripting (XSS) attacks on certain input fields.
This could potentially allow a malicious user to share Puppet Dashboard data with other websites, or manipulate fields in the Dashboard database.