Tested and reproduced with:
Firefox 65.0 and Google Chrome 72.0.3626.109.
1. Log into the Zabbix UI and allow the browser to save the credentials.
2. Administration -> Media types -> Create media type.
3. Enter some name for the new media type, click Add.
Check the added media type in the database - password for the current user has been saved in the "passwd" field.
This leaks user passwords in cleartext where users would not expect.
Even though the password field for SMTP was hidden, it was not disabled. Browsers auto-fill such fields and send them to the Zabbix API.
Other suspect areas:
This problem could also be present in item form for items that allow entering password (SSH, telnet etc), or other similar locations.
Possible solutions (both might be desirable):
- Disable hidden password fields.
- Reject in the API media type creation/update with authentication disabled, but credentials supplied.
Regarding the first one, https://core.trac.wordpress.org/ticket/33699 might serve as an inspiration to how Wordpress has handled this (their regressions might be useful checking, too).