CVE-2013-4968 (Site Lacked Clickjacking Defense)
Posted August 15, 2013
The Puppet Enterprise console was vulnerable to UI redress attack, also known as clickjacking, where an attacker can trick users into clicking a button or link on a transparent or opaque layer rather than on the page they were intending to click. This way, the click is hijacked and the user is routed to another page, site or application. Similarly, this process can be used to trick users into entering passwords to email, bank account, or other sensitive sites.
In addition, live management was vulnerable to cross-site scripting (XSS), which enables attackers to inject malicious scripts into trusted web sites, and use the scripts to access sensitive information retained by your browser and used with the trusted site. These scripts can also rewrite the content of the HTML page.
- Affected Versions: Puppet Enterprise 2.x, 3.0.0
- Resolved in Puppet Enterprise 3.0.1