Skip to content

FOUR-32191 [52344] Clear Text Submission of Login Password in Process…#8902

Open
gproly wants to merge 4 commits into
developfrom
feature/FOUR-32191
Open

FOUR-32191 [52344] Clear Text Submission of Login Password in Process…#8902
gproly wants to merge 4 commits into
developfrom
feature/FOUR-32191

Conversation

@gproly

@gproly gproly commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

…Maker

Description:
When the login button is clicked, the payload shows that the username and password are visible in clear text in the request body.

  • Expected Behavior Login credentials should be Encrypted and transmitted over the network, and not exposed in request body.
  • Notes to QA This was also tested on an intercepting site called Burp Suite

Related tickets:
https://processmaker.atlassian.net/browse/FOUR-32191

For test:
php artisan view:clear

ci:deploy

…Maker

Description:
When the login button is clicked, the payload shows that the username and password are visible in clear text in the request body.
- Expected Behavior
Login credentials should be Encrypted and transmitted over the network, and not exposed in request body.
- Notes to QA
This was also tested on an intercepting site called Burp Suite

Related tickets:
https://processmaker.atlassian.net/browse/FOUR-32191
@cursor

cursor Bot commented Jul 9, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@vladyrichter

Copy link
Copy Markdown

QA server K8S was successfully deployed https://ci-d41af8f5e4.engk8s.processmaker.net

@cursor

cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@vladyrichter

Copy link
Copy Markdown

QA server K8S was successfully deployed https://ci-d41af8f5e4.engk8s.processmaker.net

…e limit), the implementation now uses:

AES-256-GCM to encrypt {username, password, timestamp} → no practical size limit.
RSA-OAEP to encrypt only the AES key (32 bytes) → always fits.
@gproly gproly requested review from caleeli and pmPaulis and removed request for rodriquelca July 10, 2026 15:57
@processmaker-sonarqube

Copy link
Copy Markdown

@vladyrichter

Copy link
Copy Markdown

QA server K8S was successfully deployed https://ci-d41af8f5e4.engk8s.processmaker.net

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants