A bug in Puppet Dashboard versions 1.0 - 1.2.4 allows for Cross Site Scripting (XSS) attacks on certain input fields.
This could potentially allow a malicious user to share Puppet Dashboard data with other websites, or manipulate fields in the Dashboard database.
- Resolved in Puppet Dashboard 1.2.5. source, rpm, deb
- Resolved in Puppet Enterprise 1.2.5 and 2.0.1
- Hotfixes available for Puppet Enterprise 1.0, 1.1, and 1.2.x