GHSA-9qpj-qq2r-5mcc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9qpj-qq2r-5mcc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-9qpj-qq2r-5mcc/GHSA-9qpj-qq2r-5mcc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9qpj-qq2r-5mcc
- Aliases
-
- CVE-2023-33187
- Published
- 2023-05-26T13:52:19Z
- Modified
- 2023-11-08T04:12:39.505858Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- html inputs of type password recorded in plaintext when converted to text inputs
- Details
-
Impact
Highlight may record passwords on customer deployments when a password html input is switched to
type="text"via a javascript "Show Password" button. This differs from the expected behavior which always obfuscatestype="password"inputs. A customer may assume that switching totype="text"would also not record this input; hence, they would not add additionalhighlight-maskcss-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when aShow Passwordbutton is used.Patches
highlight.run@6.0.0resolves the issue via https://github.com/rrweb-io/rrweb/pull/1184 This patch tracks changes to thetypeattribute of an input to ensure an input that used to be atype="password"continues to be obfuscated.Workarounds
We have deployed a change to our data ingest to obfuscate passwords server side from older clients. This means that upgrading to the latest version of highlight.run is not necessary but recommended to prevent potential network transfer of recorded password data to our backend.
References
https://github.com/rrweb-io/rrweb/pull/1184
- Database specific
{ "nvd_published_at": "2023-05-26T21:15:20Z", "cwe_ids": [ "CWE-319" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-05-26T13:52:19Z" }- References
Affected packages
npm / highlight.run
Package
- Name
- highlight.run
- View open source insights on deps.dev
- Purl
- pkg:npm/highlight.run