Puppet Enterprise Web Interface versions before 2016.4.0 suffer from an open redirection vulnerability.