CVE-2023-33187

Name of the Vulnerable Software and Affected Versions Highlight versions prior to 6.0.0

Description Highlight may record passwords on customer deployments when a password html input is switched to type="text" via a javascript "Show Password" button. This issue arises because the expected behavior of always obfuscating type="password" inputs is not followed when the input type is changed. As a result, customers may unintentionally have their password values recorded when using a "Show Password" button, assuming that switching to type="text" would also prevent recording of the input.

Recommendations For versions prior to 6.0.0, upgrade to version 6.0.0 to ensure that inputs which used to be type="password" continue to be obfuscated even when their type is changed. As a temporary workaround, consider adding the highlight-mask css-class obfuscation to the affected parts of the DOM to prevent unintentional recording of password values.