On CMS login with incorrect password the (incorrect) password is in the login form HTML - BloomReach Experience - Open Source CMS

On CMS login with incorrect password the (incorrect) password is in the login form HTML 

Issue date: 04-12-2018
Affects versions: 12.5, 12.4, 11.2, 10.2

Issue ID: SECURITY-80

Affected Product Version(s)
This vulnerability applies to CMS 12.4.0, 12.3.1, 11.2.8 and 10.2.12 and earlier versions.

Severity 
normal

Description

When a user logs into the CMS web application with an incorrect password, the CMS will return the login page containing the (incorrect) password as password field value.

Although the password is not shown in the page, inspection of the HTML can reveal the (incorrect) password

Note that in maintenance releases CMS 10.2.13, CMS 11.2.9, CMS 12.3.2, CMS 12.4.1 and CMS 12.5.0 this issue does not occur but an error is logged when entering an incorrect password.

Instructions

For all current supported CMS versions, this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.14, CMS 11.2.10, CMS 12.3.3 or CMS 12.4.2, 12.5.1.