Insecure Storage of credentials

Description

When a user can access the administrative area of the site, it is possible to view the database connection information on an existing store. When viewing the data source, as seen below, the password is replaced with a line of asterisks. However, when a user views the source of the page, the information is shown in clear text

</li>
</ul><ul>
<li title="password used to login">
<label><span>passwd</span></label>
<div>

<input class="text" type="password" value="SuperSecretPassword" name="parametersPanelarameters:6arameterPanel:border:border_bodyaramValue"/>

</div>
</li>

Environment

None

Status

Assignee

Andrea Aime

Reporter

Stephan

Triage

Fix versions

Affects versions

2.14.0

Components

Priority

Medium
Configure