LDAP password disclosed on admin page
I am an Openfire adminstrator
I have my Openfire server set up for LDAP
The LDAP password is sent to the browser in plain text (obscured only by a password field) when I view the LDAP settings
Marked as minor, as it requires admin console access, although could be used in another attack to use that credential or egress that password elsewhere.