Bug 1748185 (CVE-2019-14840) - CVE-2019-14840 Business-central: Sensitive HTML Form Fields like Password has auto-complete Enabled
Summary: CVE-2019-14840 Business-central: Sensitive HTML Form Fields like Password has...
Alias: CVE-2019-14840
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1744775 1941988
TreeView+ depends on / blocked
Reported: 2019-09-03 06:21 UTC by Paramvir jindal
Modified: 2021-10-25 09:53 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-25 09:53:41 UTC

Attachments (Terms of Use)

Description Paramvir jindal 2019-09-03 06:21:38 UTC
autocomplete=off is not present in the password field or at the form level in the login page source code:

<form class="form-horizontal" role="form" action="j_security_check?locale=en_US" method="POST">
                    <div class="form-group">
                        <label for="j_username" class="col-sm-2 col-md-2 control-label">Username</label>
                        <div class="col-sm-10 col-md-10">
                            <input type="text" class="form-control" value="" name="j_username" id="j_username" placeholder="" tabindex="1" autofocus />
                    <div class="form-group">
                        <label for="j_password" class="col-sm-2 col-md-2 control-label">Password</label>
                        <div class="col-sm-10 col-md-10">
                            <input type="password" class="form-control" id="j_password" name="j_password" placeholder="" tabindex="2">
                    <div class="form-group">
                        <div class="col-xs-offset-8 col-xs-4 col-sm-offset-8 col-sm-4 col-md-offset-8 col-md-4 submit">
                            <button type="submit" class="btn btn-primary btn-lg" tabindex="3">Sign In</button>


Disable autocomplete for all sensitive fields like: 

<input type="password" autocomplete="off" name="pw">

If there are many fields, it may be faster to set the "autocomplete" attribute to "off" in the outer <form> tag. For

<form action="/login.jsp" autocomplete="off" name="pw">
<input type="password" name="pw">

Note You need to log in before you can comment on or make changes to this bug.