On CMS login with incorrect password the (incorrect) password is in the login form HTMLIssue date: 04-12-2018
Affects versions: 12.5, 12.4, 11.2, 10.2
Issue ID: SECURITY-80
Affected Product Version(s)
This vulnerability applies to CMS 12.4.0, 12.3.1, 11.2.8 and 10.2.12 and earlier versions.
When a user logs into the CMS web application with an incorrect password, the CMS will return the login page containing the (incorrect) password as password field value.
Although the password is not shown in the page, inspection of the HTML can reveal the (incorrect) password
Note that in maintenance releases CMS 10.2.13, CMS 11.2.9, CMS 12.3.2, CMS 12.4.1 and CMS 12.5.0 this issue does not occur but an error is logged when entering an incorrect password.
For all current supported CMS versions, this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.14, CMS 11.2.10, CMS 12.3.3 or CMS 12.4.2, 12.5.1.