CVE-2020-28502

HIGH

Xmlhttprequest < 1.7.0 - Code Injection

Title source: rule

Description

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Exploits (2)

nomisec WORKING POC 3 stars

by s-index · poc

https://github.com/s-index/CVE-2020-28502

View Code ZIP pw:eip

nomisec WORKING POC

by dpredrag · poc

https://github.com/dpredrag/CVE-2020-28502

View Code ZIP pw:eip

References (5)

[Broken Link] https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936

Scores

CVSS v3 8.1

EPSS 0.1740

EPSS Percentile 95.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (3)

npm/xmlhttprequest 0 - 1.7.0npm

npm/xmlhttprequest-ssl 0 - 1.6.2npm

xmlhttprequest_project/xmlhttprequest < 1.7.0

Published Mar 05, 2021

Tracked Since Feb 18, 2026