CVE-2013-4955

Overview

CVE-2013-4955 (Phishing Through URL Redirection Vulnerability)

  • Posted August 15, 2013

  • Assessed Risk Level: Low

The login page for the application could be manipulated into redirecting to a third-party website.
A hidden field on the login page contains a parameter called “service”, which controls where the application redirects to after the user logs in. An attacker could potentially construct a malicious login form with a service value that caused the application to redirect to a phishing website controlled by the attacker. Note that this is an unlikely attack scenario.

Status

  • Resolved in Puppet Enterprise 3.0.1