CVE-2013-4962 Information

Description

The reset password page in Puppet Enterprise before 3.0.1 does not force entry of the current password which allows attackers to modify user passwords by leveraging session hijacking an unattended workstation or other vectors.

Reference

http://puppetlabs.com/security/cve/cve-2013-4962/