CVE-2023-33187 highlight vulnerable to cleartext transmission of sensitive information

2023-05-2620:11:54

CWE-319

GitHub_M

www.cve.org

cve-2023-33187

vulnerability

highlight

recording

cleartext

passwords

sensitive information

transmission

monitoring platform

open source

javascript

show password

patch

version 6.0.0

input type

obfuscation

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

35.0%

JSON

Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to type="text" via a javascript “Show Password” button. This differs from the expected behavior which always obfuscates type="password" inputs. A customer may assume that switching to type="text" would also not record this input; hence, they would not add additional highlight-mask css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a Show Password button is used. This issue was patched in version 6.0.0.
This patch tracks changes to the type attribute of an input to ensure an input that used to be a type="password" continues to be obfuscated.

CNA Affected

[
  {
    "vendor": "highlight",
    "product": "highlight",
    "versions": [
      {
        "version": "< 6.0.0",
        "status": "affected"
      }
    ]
  }
]