Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-13847

Password field with autocomplete enabled

    XMLWordPrintable

Details

    • Horizon 22 - Feb 2 - Feb 16, Horizon 22 - Feb 16 - Mar 2
    • NB

    Description

      Vulnerability Description: Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications that employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

       

      Evidence: Following instances of this issue were identified, at the following locations:
      /opennms/account/selfService/newPasswordEntry
      /opennms/admin/userGroupView/users/newUser.jsp
      /opennms/login.jsp
      /opennms/login.jsp;jsessionid=node0195bty4d669od38s4yghr8p1t54869.node0
      /opennms/support/index.htm

      Evidence: Following instances of this issue were identified, at the following locations:
      /opennms/account/selfService/newPasswordEntry
      /opennms/admin/userGroupView/users/newUser.jsp
      /opennms/login.jsp
      /opennms/login.jsp;jsessionid=node0195bty4d669od38s4yghr8p1t54869.node0
      /opennms/support/index.htm

       

       

      Impact: The stored credentials can be captured by an attacker who gains control over the user's computer. Further, an attacker who finds a separate application vulnerability such as cross-site scripting may be able to exploit this to retrieve a user's browser-stored credentials.

      Attachments

        Issue Links

          Activity

            People

              geraldhumphries Gerald Humphries
              gp185132 Gaurav Pande
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.