GHSA-2p62-c4rm-mr72

Source

https://github.com/advisories/GHSA-2p62-c4rm-mr72

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2p62-c4rm-mr72/GHSA-2p62-c4rm-mr72.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2p62-c4rm-mr72

Published

2020-09-01T19:44:57Z

Modified

2023-12-07T22:04:42Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Malicious Package in another-date-picker

Details

Version 2.0.43 of another-date-picker contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=

Recommendation

If version 2.0.43 of this module is found installed you will want to replace it with a version before or after 2.0.43. In addition to replacing the installed module, you will also want to evaluate your application to determine whether or not user data was compromised.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:30:01Z",
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-506"
    ]
}

References

Affected packages

npm / another-date-picker

Package

Name: another-date-picker; View open source insights on deps.dev
Purl: pkg:npm/another-date-picker

Affected ranges

Type: SEMVER
Events: Introduced

2.0.43

Fixed

2.0.45

Affected versions

2.*

2.0.43

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2p62-c4rm-mr72/GHSA-2p62-c4rm-mr72.json"