we have detected few vulnerability for existing JIRA version 8.5.5. most of them can be mitigated by upgrading the version however please confirm if the vulnerability commented below can be mitigated by upgrading the version.
<The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext.An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.>
<The remote web server contains at least one HTML form field that has an input of type 'password' where 'autocomplete' is not set to 'off'.While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or if their machine is compromised at some point.>
The first should not be relevant if you've enforced https
For the second, autocomplete is not set to false on the password field by default in 8.20.6 - but you'll find that most sites have autocomplete enabled.
CCM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.