Cleartext passwords external services in Squash TM's web interface

[Guillaume Quéré <guillaume () quere eu>]

SquashTM
--------
Squash TM is a web interface used to manage test cases. More at: https://www.squashtest.org/en

Description
-----------
There is a vulnerability in SquashTM's administration panel, where external services (a.k.a. automation servers) are 
defined: each service's HTML page contains the cleartext password of the service's account. These external services 
could be anything but a popular example is a Jenkins server.

I believe there is no reason that a service should display the password of another service, as this gives an attacker 
the opportunity to spread laterally. If *anything*, the password should be hashed but then again I fail to see any 
reason this information should be provided at all in this context. This is somewhat even more exploitable given the 
fact that Squash's default credentials are admin:admin.

Details
-------
Here's an example URL: http://localhost:8080/squash/administration/test-automation-servers/1
Here's an extract of the page's source code:
      <label for="ta-server-password">Password</label>
      <div id="ta-server-password" class="display-table-cell" style="font-weight: bold;">cleartext_password</div>

Scoring
-------
Attack vector: network
Attack complexity: low 
Authentication required: yes (admin)
Impacts: confidentiality
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Timeline
--------
2018-07-20: Vulnerability reported as a private security bug: https://ci.squashtest.org/mantis/view.php?id=7553
2018-09-11: ACK required from editor
2018-09-13: Disclosure to oss-sec


Unsure if I should request a CVE for this? Seems kinda trivial.

Guillaume Quéré