These page(s) contain a form with a password field. The form's method attribute is either set to GET, or not defined at all, in which case it defaults to GET. This configuration may lead to user data being submitted using the GET method, causing the contents of the password field to appear in the URL. Sensitive information should not be passed via the URL. URLs could be logged or leaked via the Referer header.


The HTML form's method attribute should be defined and set POST rather than GET.

Related Vulnerabilities