html inputs of type password recorded in plaintext when converted to text inputs
- Severity:
- Medium
Description
Highlight may record passwords on customer deployments when a password html input is switched to type="text" via a javascript “Show Password” button. This differs from the expected behavior which always obfuscates type="password" inputs.
Recommendation
Update the highlight.run package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.0.0
- Patched version(s): 6.0.0
References
Related Issues
- jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label - CVE-2022-31160
- @fastify/reply-from JSON Content-Type parsing confusion - CVE-2023-51701
- CouchAuth host header injection vulnerability leaks the password reset token - CVE-2023-39655
- jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs - CVE-2026-4598
You might also like:
- Tags:
- npm
- highlight.run
Anything's wrong? Let us know Last updated on November 08, 2023


