CVE-2023-33187 - Vulnerability Details - OpenCVE

Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `type="password"` inputs. A customer may assume that switching to `type="text"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0. This patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type="password"` continues to be obfuscated.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Highlight	Highlight

Configuration 1 [-]

cpe:2.3:a:highlight:highlight:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc
https://github.com/rrweb-io/rrweb/pull/1184

History

Tue, 14 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-26T20:11:54.507Z

Updated: 2025-01-14T19:30:59.002Z

Reserved: 2023-05-17T22:25:50.697Z

Link: CVE-2023-33187

Vulnrichment

Updated: 2024-08-02T15:39:35.715Z

NVD

Status : Modified

Published: 2023-05-26T21:15:20.693

Modified: 2024-11-21T08:05:04.797

Link: CVE-2023-33187

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33187", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-17T22:25:50.697Z", "datePublished": "2023-05-26T20:11:54.507Z", "dateUpdated": "2025-01-14T19:30:59.002Z"}, "containers": {"cna": {"title": "highlight vulnerable to cleartext transmission of sensitive information", "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "lang": "en", "description": "CWE-319: Cleartext Transmission of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc"}, {"name": "https://github.com/rrweb-io/rrweb/pull/1184", "tags": ["x_refsource_MISC"], "url": "https://github.com/rrweb-io/rrweb/pull/1184"}], "affected": [{"vendor": "highlight", "product": "highlight", "versions": [{"version": "< 6.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-26T20:11:54.507Z"}, "descriptions": [{"lang": "en", "value": "Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type=\"text\"` via a javascript \"Show Password\" button. This differs from the expected behavior which always obfuscates `type=\"password\"` inputs. A customer may assume that switching to `type=\"text\"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0.\nThis patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type=\"password\"` continues to be obfuscated. \n"}], "source": {"advisory": "GHSA-9qpj-qq2r-5mcc", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:39:35.715Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc"}, {"name": "https://github.com/rrweb-io/rrweb/pull/1184", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rrweb-io/rrweb/pull/1184"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-14T19:30:51.170909Z", "id": "CVE-2023-33187", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-14T19:30:59.002Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc", "name": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/rrweb-io/rrweb/pull/1184", "name": "https://github.com/rrweb-io/rrweb/pull/1184", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:39:35.715Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-33187", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-14T19:30:51.170909Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-14T19:30:55.464Z"}}], "cna": {"title": "highlight vulnerable to cleartext transmission of sensitive information", "source": {"advisory": "GHSA-9qpj-qq2r-5mcc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "highlight", "product": "highlight", "versions": [{"status": "affected", "version": "< 6.0.0"}]}], "references": [{"url": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc", "name": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rrweb-io/rrweb/pull/1184", "name": "https://github.com/rrweb-io/rrweb/pull/1184", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type=\"text\"` via a javascript \"Show Password\" button. This differs from the expected behavior which always obfuscates `type=\"password\"` inputs. A customer may assume that switching to `type=\"text\"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0.\nThis patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type=\"password\"` continues to be obfuscated. \n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319: Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-26T20:11:54.507Z"}}}, "cveMetadata": {"cveId": "CVE-2023-33187", "state": "PUBLISHED", "dateUpdated": "2025-01-14T19:30:59.002Z", "dateReserved": "2023-05-17T22:25:50.697Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-05-26T20:11:54.507Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:highlight:highlight:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "98A60E3C-555D-4105-91BD-5E3FBAFE4465", "versionEndExcluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type=\"text\"` via a javascript \"Show Password\" button. This differs from the expected behavior which always obfuscates `type=\"password\"` inputs. A customer may assume that switching to `type=\"text\"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0.\nThis patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type=\"password\"` continues to be obfuscated. \n"}], "id": "CVE-2023-33187", "lastModified": "2024-11-21T08:05:04.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-26T21:15:20.693", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/rrweb-io/rrweb/pull/1184"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/rrweb-io/rrweb/pull/1184"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}]}