Description

User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.

Remediation

Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).

References

Password Transmitted over HTTP | Invicti

Related Vulnerabilities

ASP.NET: Failure To Require SSL For Authentication Cookies

Basic authentication over HTTP

Active Mixed Content over HTTPS

Insecure transition from HTTP to HTTPS in form post

SSL/TLS Not Implemented

Severity

Medium

Classification

CWE-523 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Sensitive Data Not Over Ssl