The Puppet Enterprise Console does not properly validate the string parameter used to set the URL target for the next page transition. This can be leveraged to create believable phishing attacks and potentially harvest the victim's console credentials. This was thought to be resolved with the fix for CVE-2015-6501, but the fix was incomplete. Puppet Enterprise 2016.4.0 includes a fix for this vulnerability.
Thanks to John Page aka hyp3rlinx for responsibly disclosing this issue to us. This issue was also independently reported by NCC Group.
Affected Software Versions: