Skip to main content

CVE-2019-14840: CWE-522 in Business-central

High
VulnerabilityCVE-2019-14840cvecve-2019-14840cwe-522
Published: Mon Oct 17 2022 (10/17/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: Business-central

Description

A flaw was found in the RHDM, where sensitive HTML form fields like Password has auto-complete enabled which may lead to leak of credentials.

AI-Powered Analysis

AILast updated: 07/06/2025, 17:25:52 UTC

Technical Analysis

CVE-2019-14840 is a security vulnerability identified in Business-central as shipped in Red Hat Decision Manager (RHDM) 7 and Red Hat Process Automation Manager (RHPAM) 7. The vulnerability is classified under CWE-522, which pertains to the improper handling of sensitive information in web applications. Specifically, the issue arises because sensitive HTML form fields, such as password input fields, have the autocomplete attribute enabled. This setting allows browsers to store and autofill these fields, which can inadvertently expose user credentials if an attacker gains access to the client machine or browser data. The vulnerability does not require authentication or user interaction to be exploited, and it can be triggered remotely over the network (AV:N). The CVSS v3.1 base score is 7.5, indicating a high severity level, primarily due to the potential confidentiality impact. While the vulnerability does not affect the integrity or availability of the system, the leakage of credentials can lead to unauthorized access and further compromise. No known exploits are reported in the wild, and no official patches are linked in the provided data. The flaw is rooted in insecure design choices in the web application layer of Business-central, where sensitive fields should have autocomplete disabled to prevent credential caching by browsers.

Potential Impact

For European organizations using Business-central within RHDM 7 or RHPAM 7, this vulnerability poses a significant risk to the confidentiality of user credentials. If exploited, attackers could retrieve stored passwords from browsers, potentially leading to unauthorized access to critical business automation and decision management systems. This could result in data breaches, unauthorized process manipulations, or lateral movement within corporate networks. Given that these platforms often handle sensitive business logic and automated workflows, compromise could disrupt operations or expose intellectual property. The risk is exacerbated in environments where endpoint security is weak, or where multiple users share workstations. Although no active exploits are currently known, the ease of exploitation (no authentication or user interaction required) means that attackers could automate credential harvesting if they gain network access or compromise client devices. This vulnerability could also undermine compliance with European data protection regulations such as GDPR, due to potential unauthorized disclosure of personal or sensitive data.

Mitigation Recommendations

To mitigate this vulnerability, organizations should first verify whether they are running affected versions of Business-central within RHDM 7 or RHPAM 7. Since no official patches are linked, immediate mitigation involves configuration changes to disable autocomplete on sensitive form fields in the web application. Developers or administrators should audit the HTML forms and explicitly set autocomplete="off" on all password and sensitive input fields. Additionally, organizations should enforce strict endpoint security policies to prevent unauthorized access to browser-stored credentials, including the use of full disk encryption, secure browser configurations, and regular clearing of cached form data. Network segmentation and monitoring can help detect suspicious activities indicative of credential harvesting. Where possible, multi-factor authentication (MFA) should be implemented to reduce the impact of credential leaks. Finally, organizations should monitor vendor advisories for any forthcoming patches or updates addressing this issue and plan timely application of such fixes.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
redhat
Date Reserved
2019-08-10T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fc1484d88663aecbb8

Added to database: 5/20/2025, 6:59:08 PM

Last enriched: 7/6/2025, 5:25:52 PM

Last updated: 8/18/2025, 2:07:42 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats