Information Exposure Affecting highlight.run package, versions <6.0.0
Snyk CVSS
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Threat Intelligence
EPSS
0.05% (17th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-HIGHLIGHTRUN-5660294
- published 28 May 2023
- disclosed 26 May 2023
- credit Unknown
Introduced: 26 May 2023
CVE-2023-33187 Open this link in a new tabHow to fix?
Upgrade highlight.run
to version 6.0.0 or higher.
Overview
highlight.run is an Open source, fullstack monitoring. Capture frontend errors, record server side logs, and visualize what broke with session replay.
Affected versions of this package are vulnerable to Information Exposure via html inputs of type password which are recorded in plaintext when converted to text inputs.
Workarounds
A change to the data ingest was deployed to obfuscate passwords server side from older clients. This is for users who cannot upgrade to the fixed version.