Product Name
XProtect Expert
Product Version
2025 R2 (25.2a)
We recently received a CISA Cyber Hygiene report and they presented two concerns on our mobile server (Milestone).
Please see below and recommend resolution. Thank You
The IP address I presented xxx.xxx.xxx.xxx is the public IP of the Milestone server that resides in the xxxx DMZ. If you want to browse to that webpage you can search the primary Milestone URL that contains “8082”. The vulnerabilities that I highlighted were identified through a public scan that CISA performed against the server.
As an application developer the Milestone vendor should be well aware of the findings presented, as the identified vulnerabilities apply directly to the work they perform as an app vendor. To aid in identifying these issues here are some starting points.
Web Server Allows Password Auto-Completion xxx.xxx.xxx.xxx:8082
I would assume that your Milestone URL is served on port 8082 with a public IP of xxx.xxx.xxx.xxx. This vulnerability shows that a system user can auto-complete a password within the password field of that URL. To resolve, the vendor will need to advise your team how to add the attribute ’autocomplete=off’ to credential fields to prevent browsers from caching credentials.
Web Server HTTP Header Internal IP Disclosure xxx.xxx.xxx.xxx
This one is a little more unique. While there are published fixes for this vulnerability on standard web servers (IIS, Apache, NGINX, etc.), it doesn’t appear that Milestone uses any of these web servers. For that reason, there is no way for me to advise how a fix should be applied because the vendor is managing the webpage using non-standard architecture. (This is an assumption based on a quick review of the server. If the vendor states otherwise and is able to provide what web server is in use, it should significantly narrow the scope for resolution.)