CVE-2023-33187

highlight vulnerable to cleartext transmission of sensitive information

Description

Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `type="password"` inputs. A customer may assume that switching to `type="text"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0. This patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type="password"` continues to be obfuscated.

Category

5.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Vendor Advisory github.com
Affected: highlight highlight
Published at:
Updated at:

References

Link Tags
https://github.com/highlight/highlight/security/advisories/GHSA-9qpj-qq2r-5mcc vendor advisory
https://github.com/rrweb-io/rrweb/pull/1184 issue tracking patch

Frequently Asked Questions

What is the severity of CVE-2023-33187?
CVE-2023-33187 has been scored as a medium severity vulnerability.
How to fix CVE-2023-33187?
To fix CVE-2023-33187, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-33187 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-33187 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-33187?
CVE-2023-33187 affects highlight highlight.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.