CVE-2023-33187

Name
CVE-2023-33187
Description
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `type="password"` inputs. A customer may assume that switching to `type="text"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0. This patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type="password"` continues to be obfuscated.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc
MISC https://github.com/rrweb-io/rrweb/pull/1184

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:highlight:highlight:*:*:*:*:*:node.js:*:* highlight >= None < 6.0.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
highlight 3.18-main 4.5-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
highlight 3.17-main 4.4-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
highlight 3.16-main 4.2-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
highlight 3.15-main 4.1-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
highlight edge-main 4.8-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable