Security Vulnerability: Web Server Allows Password 'Autocomplete'
Article ID: 342527
Updated On:
Products
VMware Cloud Director
Issue/Introduction
- This KB is designed to address concerns associated with the password 'autocomplete' setting that is often flagged by security scans
Symptoms:
- A security scan of the VCD environment may indicate that there is a vulnerability associated with the password 'autocomplete' attribute
- The webpage has a password field but does not have 'autocomplete=off' configured
Environment
VMware Cloud Director 10.x
VMware Cloud Director for Service Provider 10.x
VMware Cloud Director for Service Provider 10.x
Cause
- This is caused by the attibute 'autocomplete' not being set to 'off'
Resolution
- At this time, this issue is outside of the scope of VCD. The 'autocomplete' feature is a browser setting and can be addressed with GPO's and browser configuration changes; this is not something that can be configured in VCD
Workaround:
- There is no workaround for this issue within the context of VCD at this time, it must be addressed with GPO's and browser configuration changes
Additional Information
Impact/Risks:
- The VCD web server contains at least one HTML form field that has an input of type 'password' where 'autocomplete' is not set to 'off'. This doesn't put the VCD cells at risk, however, users that interact with the affected field may have their credentials saved in their browsers. This could in turn lead to a loss of confidentiality if any of them use a shared host or if their machine is compromised at some point
Feedback
Yes
No
Powered by
