CVE-2023-33187
CVSS V2 None
CVSS V3 None
Description
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `type="password"` inputs. A customer may assume that switching to `type="text"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0.
This patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type="password"` continues to be obfuscated.
Overview
- CVE ID
- CVE-2023-33187
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2023-05-26T20:11:54.507Z
- Last Modified Date
- 2023-05-26T20:11:54.507Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc | x_refsource_CONFIRM |
| https://github.com/rrweb-io/rrweb/pull/1184 | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-33187 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33187 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-25 08:33:16 | Added to TrackCVE |