Lucene search

GitHub Advisory DatabaseGHSA-H4J5-C7CJ-74XG

HistoryMay 04, 2021 - 6:02 p.m.

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

2021-05-0418:02:34

CWE-94

GitHub Advisory Database

github.com

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.03 Low

EPSS

Percentile

91.0%

JSON

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Affected configurations

Vulners

Node

xmlhttprequestsslRange<1.6.2

xmlhttprequest_projectxmlhttprequestRange<1.7.0node.js

CPENameOperatorVersion
xmlhttprequest-ssllt1.6.2
xmlhttprequestlt1.7.0

CPE	Name	Operator	Version
	xmlhttprequest-ssl	lt	1.6.2
	xmlhttprequest	lt	1.7.0

References

github.com/advisories/GHSA-h4j5-c7cj-74xg

github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480

github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480

github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6

github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531

github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291

nvd.nist.gov/vuln/detail/CVE-2020-28502

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938

snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935

snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.03 Low

EPSS

Percentile

91.0%

JSON

Related for GHSA-H4J5-C7CJ-74XG