Home > Vulnerability Database > CVE-2023-33187

Mend.io Vulnerability Database

CVE-2023-33187

Good to know:

Date: May 26, 2023

Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to "type="text"" via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates "type="password"" inputs. A customer may assume that switching to "type="text"" would also not record this input; hence, they would not add additional "highlight-mask" css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a "Show Password" button is used. This issue was patched in version 6.0.0. This patch tracks changes to the "type" attribute of an input to ensure an input that used to be a "type="password"" continues to be obfuscated.

Severity Score

5.4

Related Resources (5)

Url: https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc

Url: https://github.com/rrweb-io/rrweb/pull/1184

Url: https://github.com/highlight/highlight

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-33187

Url: https://www.mend.io/vulnerability-database/CVE-2023-33187

Severity Score

5.4

Weakness Type (CWE)

Cleartext Transmission of Sensitive Information

CWE-319

Top Fix

Upgrade Version

Upgrade to version highlight.run - 6.0.0

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-33187

Good to know:

Date: May 26, 2023

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?