CVE-2023-33187

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-33187

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33187.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-33187

Aliases

GHSA-9qpj-qq2r-5mcc

Published

2023-05-26T20:11:54Z

Modified

2025-10-21T02:35:29Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

highlight vulnerable to cleartext transmission of sensitive information

Details

Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to type="text" via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates type="password" inputs. A customer may assume that switching to type="text" would also not record this input; hence, they would not add additional highlight-mask css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a Show Password button is used. This issue was patched in version 6.0.0. This patch tracks changes to the type attribute of an input to ensure an input that used to be a type="password" continues to be obfuscated.

References

Affected packages

Git /

Affected ranges

Database specific

unresolved_versions

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "6.0.0"
            }
        ],
        "type": ""
    }
]