Vulnerability Description
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xmlhttprequest Project | Xmlhttprequest | < 1.7.0 |
Related Weaknesses (CWE)
References
- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.jBroken Link
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936ExploitThird Party Advisory
- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.jBroken Link
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936ExploitThird Party Advisory
FAQ
What is CVE-2020-28502?
CVE-2020-28502 is a vulnerability with a CVSS score of 8.1 (HIGH). This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into ...
How severe is CVE-2020-28502?
CVE-2020-28502 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-28502?
Check the references section above for vendor advisories and patch information. Affected products include: Xmlhttprequest Project Xmlhttprequest.