[ZBXNEXT-2480] AutoComplete Attribute Not Disabled for Password in Form Based Authentication - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Change Request
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.0.12, 2.0.13, 2.2.4, 2.2.5, 2.2.6, 2.3.3, 2.3.4, 2.3.5, 2.4.0
Fix Version/s: 4.0.27rc1, 5.0.6rc1, 5.2.2rc1, 5.4.0alpha1, 5.4 (plan)
Component/s: Frontend (F)
Labels:
- patch

Team:
Team D
Sprint:
Sprint 69 (Oct 2020), Sprint 70 (Nov 2020)
Story Points:
3

Description

Threat

The Web server allows form based authentication without disabling the AutoComplete feature for the password field.

Impact

The passwords entered by one user could be stored by the browser and retrieved for another user using the browser.

Solution

Contact the vendor to have the AutoComplete attribute disabled for the password field in all forms. The AutoComplete attribute should also be disabled for the user ID field.