A bug in Puppet Dashboard versions 1.0 - 1.2.4 allows for Cross Site Scripting (XSS) attacks on certain input fields.

This could potentially allow a malicious user to share Puppet Dashboard data with other websites, or manipulate fields in the Dashboard database.

Status

• Resolved in Puppet Dashboard 1.2.5. source, rpm, deb
• Resolved in Puppet Enterprise 1.2.5 and 2.0.1
• Hotfixes available for Puppet Enterprise 1.0, 1.1, and 1.2.x

Hotfixes

• http://puppetlabs.com/security/cve/cve-2012-0891/hotfixes/