html inputs of type password recorded in plaintext when converted to text inputs
- Severity:
- Medium
Description
Highlight may record passwords on customer deployments when a password html input is switched to type="text" via a javascript “Show Password” button. This differs from the expected behavior which always obfuscates type="password" inputs.
Recommendation
Update the highlight.run package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.0.0
- Patched version(s): 6.0.0
References
Related Issues
- jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label - CVE-2022-31160
- Making all attributes on a content-type public without noticing it (GHSA-chmr-rg2f-9jmf) - CVE-2023-34093
- Making all attributes on a content-type public without noticing it - CVE-2023-34093
- Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer - CVE-2023-41058
- Tags:
- npm
- highlight.run
Anything's wrong? Let us know Last updated on November 08, 2023