CVE-2020-28502

NameCVE-2020-28502
DescriptionThis affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-xmlhttprequest (PTS)stretch1.6.0-1vulnerable
buster1.8.0-1fixed
bullseye, sid1.8.0-3fixed
node-xmlhttprequest-ssl (PTS)buster, stretch1.6.0-1vulnerable
sid1.6.0-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-xmlhttprequestsourcestretch(unfixed)end-of-life
node-xmlhttprequestsource(unstable)1.8.0-1
node-xmlhttprequest-sslsourcestretch(unfixed)end-of-life
node-xmlhttprequest-sslsource(unstable)(unfixed)

Notes

[stretch] - node-xmlhttprequest <end-of-life> (Nodejs in stretch not covered by security support)
[stretch] - node-xmlhttprequest-ssl <end-of-life> (Nodejs in stretch not covered by security support)
https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935
https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936

Search for package or bug name: Reporting problems