GHSA-fx6f-fpfv-5hmc

Source

https://github.com/advisories/GHSA-fx6f-fpfv-5hmc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-fx6f-fpfv-5hmc/GHSA-fx6f-fpfv-5hmc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fx6f-fpfv-5hmc

Published

2020-09-03T19:10:12Z

Modified

2023-07-27T20:11:54Z

Summary

Malicious Package in uploader-plugin

Details

Version 1.0.2 of uploader-plugin contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=

Recommendation

Remove the package from your environment. It's also recommended to evaluate your application to determine whether or not user data was compromised.

Users may consider downgrading to version 1.0.1

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:47:14Z",
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "cwe_ids": []
}

References

https://www.npmjs.com/advisories/1100

Affected packages

npm / uploader-plugin

Package

Name: uploader-plugin; View open source insights on deps.dev
Purl: pkg:npm/uploader-plugin

Affected ranges

Affected versions

1.*

1.0.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-fx6f-fpfv-5hmc/GHSA-fx6f-fpfv-5hmc.json"