Detections
Analytics

Puppet Dashboard Multiple XSS Vulnerabilities

medium Nessus Plugin ID 73823

Language:

Synopsis

A web application on the remote host is potentially affected by multiple cross-site scripting vulnerabilities.

Description

According to its self-reported version number, the Puppet Dashboard install on the remote host is later than version 1.0 but prior to 1.2.5. It is, therefore, affected by multiple cross-site scripting vulnerabilities.

Multiple cross-site scripting flaws exist where unspecified input is not validated before being returned to the user. This could allow a remote attacker to execute arbitrary code within the browser and server trust relationship.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Puppet Dashboard 1.2.5 or later.

See Also

https://puppet.com/security/cve/cve-2012-0891

Plugin Details

Severity: Medium

ID: 73823

File Name: puppet_dashboard_125.nasl

Version: 1.8

Type: remote

Published: 5/2/2014

Updated: 1/19/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:puppetlabs:puppet_dashboard

Required KB Items: Settings/ParanoidReport

Exploit Ease: No exploit is required

Patch Publication Date: 1/26/2012

Vulnerability Publication Date: 1/26/2012

Reference Information

CVE: CVE-2012-0891

BID: 66602

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990