In xmlhttprequest-ssl
before 1.6.2 when requests are sent synchronously (async=False
on xhr.open
), malicious user input flowing into xhr.send
could result in arbitrary code being injected and run.
Upgrade to version 1.6.2 or later
CPE | Name | Operator | Version |
---|---|---|---|
xmlhttprequest-ssl | lt | 1.6.2 |