CVE-2020-28502

NameCVE-2020-28502
DescriptionThis affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-xmlhttprequest (PTS)buster1.8.0-1fixed
bullseye1.8.0-3fixed
sid, trixie, bookworm1.8.0-4fixed
node-xmlhttprequest-ssl (PTS)buster1.6.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-xmlhttprequestsourcestretch(unfixed)end-of-life
node-xmlhttprequestsource(unstable)1.8.0-1
node-xmlhttprequest-sslsourcestretch(unfixed)end-of-life
node-xmlhttprequest-sslsource(unstable)(unfixed)

Notes

[stretch] - node-xmlhttprequest <end-of-life> (Nodejs in stretch not covered by security support)
[buster] - node-xmlhttprequest-ssl <ignored> (Minor issue, should possibly be removed from stable as well)
[stretch] - node-xmlhttprequest-ssl <end-of-life> (Nodejs in stretch not covered by security support)
https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935
https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
Search for package or bug name: Reporting problems