Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

MSC-2024-15350

Good to know:

icon

Date: October 31, 2024

This version has been compromised due to a token leak from one of the maintainers. It contains crypto-malware that steals cryptocurrencies from affected users. The malicious code was inserted into the Lottie-player.js file. Recommended Steps: If using 2.0.5, 2.0.6 and 2.07 versions please update to the latest version 2.0.8 or downgrade to 2.0.4. If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets. Please refer to those links for more details: https://github.com/LottieFiles/lottie-player/issues/254 lottie-player team incident response - https://github.com/LottieFiles/lottie-player/issues/254#issuecomment-2448993225

Language: JS

Severity Score

Related Resources (2)

https://my.diffend.io/npm/@lottiefiles/lottie-player/prev/2.0.6
https://www.mend.io/vulnerability-database/MSC-2024-15350

Severity Score

Weakness Type (CWE)

Trojan Horse

CWE-507

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us