William Thomson

**Name of the Vulnerable Software and Affected Versions** Apache Isis versions prior to 2.0.0-M8 **Description** The h2 webconsole module is automatically made available when running in prototype mode, allowing direct queries to the database. To improve security, the capability to access the webconsole now requires explicit enablement by the developer using the `isis.prototyping.h2-console.web-allow-remote-access` configuration property. An additional safeguard, the `isis.prototyping.h2-console.generate-random-web-admin-password` configuration parameter, requires a randomly generated password for console access, which is printed to the log as `webAdminPass: xxx`. The h2 webconsole is never available in production mode. **Recommendations** To resolve the issue, set the `isis.prototyping.h2-console.web-allow-remote-access` configuration property to `true` and the `isis.prototyping.h2-console.generate-random-web-admin-password` configuration parameter to `false` to revert to the original behavior. Alternatively, update to version 2.0.0-M8 or later, where the web console will be unavailable without setting the `isis.prototyping.h2-console.web-allow-remote-access` configuration. As a temporary workaround, consider restricting access to the h2 webconsole module until the issue is resolved.