Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJwNjItYzRybS1tcjcy
Malicious Package in another-date-picker
Version 2.0.43 of another-date-picker contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=
Recommendation
If version 2.0.43 of this module is found installed you will want to replace it with a version before or after 2.0.43. In addition to replacing the installed module, you will also want to evaluate your application to determine whether or not user data was compromised.
Permalink: https://github.com/advisories/GHSA-2p62-c4rm-mr72JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJwNjItYzRybS1tcjcy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: 5 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2p62-c4rm-mr72
References:
- https://www.npmjs.com/advisories/616
- https://github.com/bi-a/mydatepicker
- https://github.com/kekeh/mydatepicker
- https://snyk.io/vuln/SNYK-JS-ANOTHERDATEPICKER-451013
- https://github.com/advisories/GHSA-2p62-c4rm-mr72
Blast Radius: 0.0
Affected Packages
npm:another-date-picker
Dependent packages: 2Dependent repositories: 1
Downloads: 5 last month
Affected Version Ranges: = 2.0.43
Fixed in: 2.0.45
All affected versions:
All unaffected versions: 2.0.5, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.37, 2.0.38, 2.0.39, 2.0.40, 2.0.41, 2.0.42, 2.0.45, 2.0.46, 2.0.47, 2.0.48, 2.0.49, 2.0.51, 2.0.52, 2.0.53, 2.0.54, 2.0.55, 2.0.56, 2.0.57, 2.0.58, 2.0.59, 2.0.60, 2.0.61