We have a critical security incident in the Identity Portal on our TEST server.

The new Module "Database Passwords" has been added to the IDP - it's for changing passwords.

If I go to the Tasks and open Developer Tools, the web service returns back the whole dataset - passwords are shown in plain text.

Release : 14.4

Customers created IM user store attributes where they stored database passwords for users.

These attributes were also added to Setup - Managed Object Attributes - User attributes.

The issue should be resolved after removing attributes related to Oracle passwords from

Setup - Managed Object Attributes - User attributes.

This prevents them from being obtained by IP from IM and being visible in the Network tab.

Also, they should be marked as shown below in the form:

Any attribute value that should be stored but not visible to user should be marked as sensitive in IM userstore.

In addition it may be encrypted.