In the InControl application we can register external devices/addresses to relate to its components. However, the password used on these endpoints is later displayed on the configuration screen using (type="password"). An attacker who manages to gain administrative access to the device can change this setting via the browser to (type="text") and the password is displayed.

Device configuration screen

Device configuration screen

Setting the "password" type for the field

Setting the "password" type for the field

Changing to "text" type the password is revealed

Changing to "text" type the password is revealed