LDAP password disclosed on admin page

Description

Given

  • I am an Openfire adminstrator

  • I have my Openfire server set up for LDAP

Then

  • The LDAP password is sent to the browser in plain text (obscured only by a password field) when I view the LDAP settings

Marked as minor, as it requires admin console access, although could be used in another attack to use that credential or egress that password elsewhere.

Environment

None

Activity

Fixed

Details

Assignee

Reporter

Components

Fix versions

Priority

Created September 23, 2019 at 3:59 PM
Updated November 23, 2019 at 6:11 PM
Resolved September 24, 2019 at 12:50 PM