CVE-2013-4962 (Lack of Reauthentication for Sensitive Transactions)

  • Posted August 15, 2013

  • Assessed Risk Level: Medium

The reset password page performed a sensitive transaction, resetting the user's password, without requiring users to re-enter their passwords. If an attacker hijacked a user's session by exploiting other vulnerabilities in the application, the attacker would then have the ability to perform even more sensitive transactions, such as resetting users' passwords.


  • Affected Versions: Puppet Enterprise 2.x, 3.0.0
  • Resolved in Puppet Enterprise 3.0.1.