vulnerability

Alpine Linux: CVE-2023-33187: Cleartext Transmission of Sensitive Information

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:S/C:C/I:N/A:N)	May 26, 2023	Mar 21, 2024	Mar 22, 2024

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:N/A:N)

Published

May 26, 2023

Added

Mar 21, 2024

Modified

Mar 22, 2024

Description

Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `type="password"` inputs. A customer may assume that switching to `type="text"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0.
This patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type="password"` continues to be obfuscated.

Solution

alpine-linux-upgrade-highlight

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today