On August 8, 2016, Ruby on Rails announced a cross site scripting (XSS) vulnerability in Action View.
Previous versions of Puppet Enterprise shipped with a vulnerable version of Rails. Puppet Enterprise 3.8.7 contains an updated version of Rails that patches the vulnerability..
For more information about these vulnerabilities, refer to the [Ruby on Rails security announcement] (http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/).
Affected Software Versions: