Tested and reproduced with:
Firefox 65.0 and Google Chrome 72.0.3626.109.

Steps:
1. Log into the Zabbix UI and allow the browser to save the credentials.
2. Administration -> Media types -> Create media type.
3. Enter some name for the new media type, click Add.

Result:
Check the added media type in the database - password for the current user has been saved in the "passwd" field.
This leaks user passwords in cleartext where users would not expect.

Reason:
Even though the password field for SMTP was hidden, it was not disabled. Browsers auto-fill such fields and send them to the Zabbix API.

Other suspect areas:
This problem could also be present in item form for items that allow entering password (SSH, telnet etc), or other similar locations.

Possible solutions (both might be desirable):

• Disable hidden password fields.
• Reject in the API media type creation/update with authentication disabled, but credentials supplied.

Regarding the first one, https://core.trac.wordpress.org/ticket/33699 might serve as an inspiration to how Wordpress has handled this (their regressions might be useful checking, too).