Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1101
Views
10
Helpful
8
Replies

Password Field AutoComplete Vulnerability in CUCM V10.5.2

pradeep.ts
Level 1
Level 1

‎07-31-2015 10:41 PM - edited ‎03-17-2019 03:50 AM

Hi,

Can anyone help me to find the solution for the below Password Field AutoComplete Vulnerability in CUCM V10.5.2

 

Vulunerability detyails as below

Password input fields on this page allow auto-completion.  Users can easily gain unauthorized access to protected information.

 

 

Thanks in advance

Pradeep

 

 

 

Labels:
0 Helpful
8 Replies 8

Wilson Samuel
Level 7
Level 7

‎07-31-2015 10:45 PM

Hi Pradeep,

Could you please re-post the link as I couldnt reach the URL you had posted.

Regards

0 Helpful

pradeep.ts
Level 1
Level 1
In response to Wilson Samuel

‎07-31-2015 10:52 PM

Hi Wilson,

 

Thank you for the post, please find the below vulnerability details encountered during the security scan.

Affected Products

CUCM/ CUC - 10.5.2

Vulnerability details

 Password input fields on this page allow auto-completion.  Users can easily gain unauthorized access to protected information.

To do

 Forms where passwords are submitted should only be enabled over HTTPS, password fields should also contain the option 'autocomplete=off'  MITIGATION Vulnerable pages can be deleted or blocked, although this will affect website functionality.

Thanks in advance

Pradeep.

 

 

 

 

 

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to pradeep.ts

‎08-01-2015 08:28 PM

You have no control over the webpages from CUC/CUC, I'm assuming this is the outcome from a tool you ran, and not something we deemed as a vulnerability, right???

HTH

java

if this helps, please rate

pradeep.ts
Level 1
Level 1
In response to Jaime Valencia

‎08-01-2015 10:39 PM

Yes, you are right Jaime,

This is result is form the security scanning tool, unfortunately this is classified as vulnerability.

Is there any way to restrict this from CUCM/CUC services ?

With Thanks & Regards,

Pradeep.

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to pradeep.ts

‎08-02-2015 08:43 AM

As I already mentioned, you have no control over the pages. You'll have to explain this cannot be adjusted, you'll have to do something in the user side to disable them storing passwords.

HTH

java

if this helps, please rate

pradeep.ts
Level 1
Level 1
In response to Jaime Valencia

‎08-02-2015 11:12 PM

Thanks Jaime

0 Helpful

Wilson Samuel
Level 7
Level 7
In response to pradeep.ts

‎08-03-2015 08:16 AM

Hi,

I thought it was a vulnerability as published by Cisco. If it is not a vulnerability published by Cisco and some third party (in your case it is for the browser).

I recommend always keeping a patched up for any Security Patches and always use Firefox (and to some extent Chrome)

HTH

0 Helpful

pradeep.ts
Level 1
Level 1
In response to Wilson Samuel

‎08-04-2015 01:43 AM

Thanks Wilson

0 Helpful
Customers Also Viewed These Support Documents