GHSA-m7xv-7p93-g6q8

Source

https://github.com/advisories/GHSA-m7xv-7p93-g6q8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-m7xv-7p93-g6q8/GHSA-m7xv-7p93-g6q8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m7xv-7p93-g6q8

Published

2020-09-03T00:35:35Z

Modified

2023-07-27T20:05:00Z

Summary

Malicious Package in libubx

Details

Version 1.0.3 of libubx contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=

Recommendation

Remove the package from your environment and evaluate your application to determine whether or not user data was compromised.

Users may consider downgrading to version 1.0.2

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:41:13Z",
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL"
}

References

https://www.npmjs.com/advisories/938

Affected packages

npm / libubx

Package

Name: libubx; View open source insights on deps.dev
Purl: pkg:npm/libubx

Affected ranges

Affected versions

1.*

1.0.3