GHSA-563h-697m-j7x5

Source

https://github.com/advisories/GHSA-563h-697m-j7x5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-563h-697m-j7x5/GHSA-563h-697m-j7x5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-563h-697m-j7x5

Published

2020-09-03T19:18:58Z

Modified

2023-07-27T20:36:07Z

Summary

Malicious Package in device-mqtt

Details

Version 1.0.11 of device-mqtt contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=

Recommendation

Remove the package from your environment. It's also recommended to evaluate your application to determine whether or not user data was compromised.

Users may consider downgrading to version 1.0.10

Database specific

{
    "github_reviewed_at": "2020-08-31T18:47:35Z",
    "cwe_ids": [],
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

https://www.npmjs.com/advisories/1109

Affected packages

npm / device-mqtt

Package

Name: device-mqtt; View open source insights on deps.dev
Purl: pkg:npm/device-mqtt

Affected ranges

Affected versions

1.*

1.0.11