On CMS login with incorrect password the (incorrect) password is in the login form HTML

Issue date: 04-12-2018
Affects versions: 12.5, 12.4, 11.2, 10.2

Issue ID: SECURITY-80

Affected Product Version(s)
This vulnerability applies to CMS 12.4.0, 12.3.1, 11.2.8 and 10.2.12 and earlier versions.

Severity
normal

Description

When a user logs into the CMS web application with an incorrect password, the CMS will return the login page containing the (incorrect) password as password field value.

Although the password is not shown in the page, inspection of the HTML can reveal the (incorrect) password

Note that in maintenance releases CMS 10.2.13, CMS 11.2.9, CMS 12.3.2, CMS 12.4.1 and CMS 12.5.0 this issue does not occur but an error is logged when entering an incorrect password.

Instructions

For all current supported CMS versions, this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.14, CMS 11.2.10, CMS 12.3.3 or CMS 12.4.2, 12.5.1.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

On CMS login with incorrect password the (incorrect) password is in the login form HTML