AutoComplete Attribute Not Disabled for Password in Form Based Authentication (QID: 86729)

search cancel

AutoComplete Attribute Not Disabled for Password in Form Based Authentication (QID: 86729)

book

Article ID: 376627

calendar_today

Updated On:

Products

VMware vSphere ESXi 7.0 VMware vSphere ESXi 8.0

Issue/Introduction

Vulnerability scanners might detect the following AutComplete vulnerability:

QID-86729-857258

AutoComplete Attribute Not Disabled for Password in Form Based Authentication

Environment

VMware vSphere ESXi 7.x
VMware vSphere ESXi 8.x

Cause

The setting for certain browsers such as Mozilla, Chrome, Edge have auto complete password fields 'on' for certain login pages setup via html or JavaScript.

Resolution

This vulnerability has been fixed with the following ESXi release/builds:

For ESXi 7.0: VMware ESXi 7.0 Update 3l Release Notes

For ESXi 8.0: VMware ESXi 8.0 Update 1 Release Notes

If the scanner still reports the vulnerability after reaching the fixed version, check the following:

SSH into affected ESXi host.
Navigate to:
- /usr/lib/vmware/hostd/docroot/ui/views/
Review the following file:
- less login.html
Look for the value autocomplete="off"

Feedback

thumb_up Yes

thumb_down No