Customer has found application security vulnerability saying that plain text password store in browser memory.
Basically once you logged in/logged out from an reporting console from a browser and take the memory dump for that browser one can see password in plain text in the dump.
SAP product owner and SAP Security team concluded that we cannot consider your scenario as a bug due to the below reasons. This need to be taken care by the machine level security at customer end and there is very less SAP can do here.
1. You can take browser dump using Task Manager or Process Explorer only when you are using your browser actively and if browser is closed or Process Explorer terminate then password will be invisible to the targeted user. This goes beyond the application scope and need to be handled by enforcing the machine level security so that automatic/illegal dumps can’t be created at the run time and as per the guidelines, its the end user responsible to close his browser on completion of his task at least when system is shared between multiple users.
2. If you run BOE application and tool to capture BOE requests in the same system, it can't be consider as a valid use case. Its quite common behavior/limitation in the all web applications and cannot consider this as BOE application issue. If hacker is able to login to your system and able to get browser dump or able to capture request from system, then not only BOE, your whole system will be in risk. This need to be taken care by the machine level security.