A bug in Puppet Dashboard versions 1.0 - 1.2.4 allows for Cross Site Scripting (XSS) attacks on certain input fields.

This could potentially allow a malicious user to share Puppet Dashboard data with other websites, or manipulate fields in the Dashboard database.


  • Resolved in Puppet Dashboard 1.2.5. source, rpm, deb
  • Resolved in Puppet Enterprise 1.2.5 and 2.0.1
  • Hotfixes available for Puppet Enterprise 1.0, 1.1, and 1.2.x