We got the feedback a little differently: Mendix uses POST, but it can be changed to the supposedly less secure GET and then still works. We ignored it: you need to do some hackish stuff to change it to a GET call and there is no upside to doing so. The CVSS score was quite low iirc. Also I don't think there is much we as developers can do, it's a Mendix thing to allow GET on the login request handler.