{"id":"AZL-36943","summary":"CVE-2023-33187 affecting package highlight 4.18-1","details":"Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type=\"text\"` via a javascript \"Show Password\" button. This differs from the expected behavior which always obfuscates `type=\"password\"` inputs. A customer may assume that switching to `type=\"text\"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0.\nThis patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type=\"password\"` continues to be obfuscated. \n","modified":"2026-04-21T04:25:22.530345Z","published":"2023-05-26T21:15:20Z","upstream":["CVE-2023-33187"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33187"}],"affected":[{"package":{"name":"highlight","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/highlight"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"4.18-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-36943.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}