Security Vulnerability

Information disclosure

The default NGinx error page disclosed sensitive information such as file paths and environment variables.

Integrated customized HTML within the Workspace component by referencing the customized HTML stored in the designated directory: desktop/nginx/html.

3.17.0

A generic 500-error page is also implemented in the event of a 500x error.

Default password enabled

The absence of complex password validation allowed users to log in with simple passwords.

More robust password validation criteria have been implemented. As a mandatory measure, users are now prompted to reset passwords that do not meet the secure guidelines.

3.17.0

Sensitive data and credentials revealed in clear text in Network logs

Absence of encryption mechanisms and data masking

Sensitive data and credentials have been encrypted in the API response and payload.

3.17.0

Autocomplete feature enabled

The setting of the autocomplete=off value in the input tag, is not supported in newer browser versions.

The autocomplete feature on the Login page has been disabled. As a part of the fix, the pop-up prompting users to save their password in the browser has also been disabled.

3.17.0

ETag (Entity tag) revealed sensitive information

ETag header utilized for caching and recognizing distinct versions of a resource on the server, inadvertently exposed sensitive information in the response impacting update tracking security.

Removed the ETag header by specifying the removal in the NGinx configuration to prevent the disclosure of sensitive information.

3.17.0

Request vulnerable to Cross-Site Request Forgery (CSRF)

CSusRF attacks can harm the users' privacy by allowing unauthorized actions. These actions include manipulating security configurations, disseminating spam messages, or distributing malware, thereby compromising the overall security of users.

Incorporated both session cookie and authentication token validation to mitigate the risk of CSRF attacks.

3.17.0