html inputs of type password recorded in plaintext when converted to text inputs

Severity:: Medium

Description

Highlight may record passwords on customer deployments when a password html input is switched to type="text" via a javascript “Show Password” button. This differs from the expected behavior which always obfuscates type="password" inputs.

Recommendation

Update the highlight.run package to the latest compatible version. Followings are version details:

Affected version(s): < 6.0.0
Patched version(s): 6.0.0

References

GHSA-9qpj-qq2r-5mcc
CVE-2023-33187
CWE-319
CAPEC-310
OWASP 2021-A2
OWASP 2021-A6

Related Issues

jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label - CVE-2022-31160
Making all attributes on a content-type public without noticing it - @strapi/database - CVE-2023-34093
Making all attributes on a content-type public without noticing it - @strapi/utils - CVE-2023-34093
Making all attributes on a content-type public without noticing it - CVE-2023-34093

How do hackers hack websites?

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; highlight.run

Anything's wrong? Let us know Last updated on November 08, 2023