On CMS login with incorrect password the (incorrect) password is in the login form HTML
Issue date: 04-12-2018Affects versions: 12.5, 12.4, 11.2, 10.2
Issue ID: SECURITY-80
Affected Product Version(s)
This vulnerability applies to CMS 12.4.0, 12.3.1, 11.2.8 and 10.2.12 and earlier versions.
Severity
normal
Description
When a user logs into the CMS web application with an incorrect password, the CMS will return the login page containing the (incorrect) password as password field value.
Although the password is not shown in the page, inspection of the HTML can reveal the (incorrect) password
Note that in maintenance releases CMS 10.2.13, CMS 11.2.9, CMS 12.3.2, CMS 12.4.1 and CMS 12.5.0 this issue does not occur but an error is logged when entering an incorrect password.
Instructions
For all current supported CMS versions, this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.14, CMS 11.2.10, CMS 12.3.3 or CMS 12.4.2, 12.5.1.