VYPR
Moderate severityNVD Advisory· Published May 26, 2023· Updated Jan 14, 2025

highlight vulnerable to cleartext transmission of sensitive information

CVE-2023-33187

Description

Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to type="text" via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates type="password" inputs. A customer may assume that switching to type="text" would also not record this input; hence, they would not add additional highlight-mask css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a Show Password button is used. This issue was patched in version 6.0.0. This patch tracks changes to the type attribute of an input to ensure an input that used to be a type="password" continues to be obfuscated.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
highlight.runnpm
< 6.0.06.0.0

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.