A bug in the WebUI can lead to disclosure of the credentials of previously logged in users.
Under certain conditions a local, physical attacker can get access to passwords of previously logged in users from the WebUI.
This problem occurs, if the following conditions apply:
- A logged in user in the WebUI locks the WebUI or logs out and does not close the browser tab.
- The attacker gets local access to the browser tab.
privacyIDEA < 2.21.4
- No third person should use the user’s computer/desktop
- The desktop should be locked, when the user leaves his desktop
- The browser tab should be closed, when the user has finished working in the UI.
This bug is fixed in the current version 2.21.4 of privacyIDEA.