CVE-2013-4955 (Phishing Through URL Redirection Vulnerability)

  • Posted August 15, 2013

  • Assessed Risk Level: Low

The login page for the application could be manipulated into redirecting to a third-party website. A hidden field on the login page contains a parameter called "service", which controls where the application redirects to after the user logs in. An attacker could potentially construct a malicious login form with a service value that caused the application to redirect to a phishing website controlled by the attacker. Note that this is an unlikely attack scenario.


  • Resolved in Puppet Enterprise 3.0.1
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.