Name of the Vulnerable Software and Affected Versions pensi-scheduler version 1.1.3

Description The issue concerns malicious code in the pensi-scheduler package that, when executed in a browser, can extract sensitive information such as password, cvc, and cardnumber fields from forms. This extracted data is then sent to the endpoint "https://js-metrics.com/minjs.php?pl=". There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited.

Recommendations For version 1.1.3, remove the package from your environment and evaluate your application to determine whether user data was compromised. Consider downgrading to version 1.1.2 as a temporary workaround.