Details
-
Bug
-
Status: Resolved (View Workflow)
-
Low
-
Resolution: Fixed
-
Meridian-2021.1.3
-
None
-
Security Level: Default (Default Security Scheme)
-
Horizon 22 - Feb 2 - Feb 16, Horizon 22 - Feb 16 - Mar 2
-
NB
Description
Vulnerability Description: Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications that employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
Evidence: Following instances of this issue were identified, at the following locations:
/opennms/account/selfService/newPasswordEntry
/opennms/admin/userGroupView/users/newUser.jsp
/opennms/login.jsp
/opennms/login.jsp;jsessionid=node0195bty4d669od38s4yghr8p1t54869.node0
/opennms/support/index.htm
Evidence: Following instances of this issue were identified, at the following locations:
/opennms/account/selfService/newPasswordEntry
/opennms/admin/userGroupView/users/newUser.jsp
/opennms/login.jsp
/opennms/login.jsp;jsessionid=node0195bty4d669od38s4yghr8p1t54869.node0
/opennms/support/index.htm
Impact: The stored credentials can be captured by an attacker who gains control over the user's computer. Further, an attacker who finds a separate application vulnerability such as cross-site scripting may be able to exploit this to retrieve a user's browser-stored credentials.