Vadman97

**Name of the Vulnerable Software and Affected Versions** Highlight versions prior to 6.0.0 **Description** Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This issue arises because the expected behavior of always obfuscating `type="password"` inputs is not followed when the input type is changed. As a result, customers may unintentionally have their password values recorded when using a "Show Password" button, assuming that switching to `type="text"` would also prevent recording of the input. **Recommendations** For versions prior to 6.0.0, upgrade to version 6.0.0 to ensure that inputs which used to be `type="password"` continue to be obfuscated even when their type is changed. As a temporary workaround, consider adding the `highlight-mask` css-class obfuscation to the affected parts of the DOM to prevent unintentional recording of password values.