CVE-2020-28502 — xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

Description

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

How to fix CVE-2020-28502

To remediate CVE-2020-28502, upgrade the affected package to a fixed version below.

—upgrade to 1.8.0-1 or later
—upgrade to 1.7.0 or later
—upgrade to 1.6.2 or later

Is CVE-2020-28502 being exploited?

Moderate — EPSS is 17.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 1.8.0-1
from 0, < 1.7.0
from 0, < 1.6.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-28502
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-28502
WEBgithub.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480
WEBgithub.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480