Puppet Enterprise Web Interface versions prior to 2016.4.0 suffer from an open redirection vulnerability.