xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection (GHSA-h4j5-c7cj-74xg)
- Severity:
- High
Description
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Recommendation
Update the xmlhttprequest package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.7.0
- Patched version(s): 1.7.0
References
Related Issues
- Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - CVE-2024-35255
- Materialize-css vulnerable to Cross-site Scripting in autocomplete component (GHSA-7752-f4gf-94gc) - CVE-2019-11003
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
- Tags:
- npm
- xmlhttprequest
Anything's wrong? Let us know Last updated on November 29, 2023