xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection (GHSA-h4j5-c7cj-74xg)

Severity:: High

Description

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Recommendation

Update the xmlhttprequest package to the latest compatible version. Followings are version details:

Affected version(s): < 1.7.0
Patched version(s): 1.7.0

References

GHSA-h4j5-c7cj-74xg
snyk.io
CVE-2020-28502
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - CVE-2020-28502
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin (GHSA-2h87-4q2w-v4hf) - CVE-2023-22621
Arbitrary Code Execution in mathjs (GHSA-vx5c-87qx-cv6c) - CVE-2017-1001002
Code injection in electerm - CVE-2020-23256

Tags:: npm; xmlhttprequest

Anything's wrong? Let us know Last updated on November 29, 2023