<html>
    <head>
      <base href="https://bugzilla.rosalinux.ru/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Platform</th>
          <td>2021.1
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_CONFIRMED "
   title="CONFIRMED - [CVE 21] highlight 3.28 CVEs found"
   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13536">13536</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[CVE 21] highlight 3.28  CVEs found
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>ROSA-based products
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>ROSA Fresh
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>URL</th>
          <td>CVE-2023-33187,
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>CONFIRMED
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>System (kernel, glibc, systemd, bash, PAM...)
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugs&#64;lists.rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>y.tumanov&#64;rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>bugs&#64;lists.rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>e.kosachev&#64;rosalinux.ru, s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>Target Milestone</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Flags</th>
          <td>secteam_verified?
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Please patch CVEs for package highlight version 3.28

INFO (CVEs are): highlight 3.28
 cves found
CVE-2023-33187
Desc: Highlight is an open source, full-stack monitoring platform. Highlight
may record passwords on customer deployments when a password html input is
switched to `type=&quot;text&quot;` via a javascript &quot;Show Password&quot; button. This differs
from the expected behavior which always obfuscates `type=&quot;password&quot;` inputs. A
customer may assume that switching to `type=&quot;text&quot;` would also not record this
input; hence, they would not add additional `highlight-mask` css-class
obfuscation to this part of the DOM, resulting in unintentional recording of a
password value when a `Show Password` button is used. This issue was patched in
version 6.0.0.
This patch tracks changes to the `type` attribute of an input to ensure an
input that used to be a `type=&quot;password&quot;` continues to be obfuscated. 

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-33187">https://nvd.nist.gov/vuln/detail/CVE-2023-33187</a>
Severity: MEDIUM</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>