SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: High (?)
Identifier:: ss-2017-010
Versions Affected:: 4.0.0
Versions Fixed:: 4.0.1
Release Date:: 2017-12-07

When accessing the install.php script it is possible to extract any pre-configured database or default admin account password by viewing the source of the page, and inspecting the `value` property of the password fields.

Sites which do not have install.php deployed are not affected.