CVE-2021-24167

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount...

Design/Logic Flaw

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount...

CVE-2021-24167 Web-Stat < 1.4.1 - API Key Disclosure

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount...

MyBB 1.8.25 Remote Command Execution

Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution Exploit Author: SivertPL [email protected] Date: 19.03.2021 Description: Nested autourl Stored XSS - templateset second order SQL Injection leading to RCE through improper string interpolation in eval. Software Link:...

Arbitrary Code Execution

xmlhttprequest is vulnerable to arbitrary code execution. The vulnerability exists through the lack of encoding of data in the this.send function...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

DEBIAN-CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

UBUNTU-CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

CVE-2020-28502 Arbitrary Code Injection

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

CVE-2020-28502

The CVE-2020-28502 issue affects the Node.js packages xmlhttprequest (pre-1.7.0) and xmlhttprequest-ssl (any version). Root cause: inputs sent via xhr.send when requests are synchronous (async=false) can be manipulated to inject and execute arbitrary code, due to how data flows into xhr.send. Pub...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

Arbitrary Code Injection

Overview xmlhttprequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object. Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.sen...

Arbitrary Code Injection

Overview xmlhttprequest-ssl is a fork of xmlhttprequest. Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

317-project (=0.0.0), 4pm-cli (>=0.0.1 <=0.0.5) +1889 more potentially affected by CVE-2020-28502 via xmlhttprequest (>=1.2.2 <=1.6.0)

xmlhttprequest NPM version =1.2.2, =0.0.1, =0.1.16, =1.1.1, =0.0.4, =0.0.53, =0.0.42, =1.0.399-main, =0.1.0, =0.1.2, =0.1.3 and more Source cves: CVE-2020-28502 Source advisory: SNYK:JS-XMLHTTPREQUEST-1082935...

1tp (>=0.0.1 <=0.11.2), 2d-json-schema-editor-visual (>=1.0.2 <=1.0.7) +2806 more potentially affected by CVE-2020-28502 via xmlhttprequest-ssl (>=1.5.1 <=1.5.5)

xmlhttprequest-ssl NPM version =1.5.1, =0.0.1, =1.0.2, =1.0.1, =4.11.25, =0.1.3, =0.0.15, =8.25.29, =1.0.0, =0.0.4, =1.0.9, =1.0.15 and more Source cves: CVE-2020-28502 Source advisory: SNYK:JS-XMLHTTPREQUESTSSL-1082936...

Dan DeFelippi node-XMLHttpRequest 代码注入漏洞

Dan DeFelippi node-XMLHttpRequest is Dan DeFelippi an open source application . Used to simulate the browser XMLHttpRequest object . A code injection vulnerability exists in node-XMLHttpRequest before 1.7.0, which can be exploited by an attacker to cause arbitrary code to be injected and run...

Web-Stat < 1.4.1 - API Key Disclosure

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount. This request contained sensitive information such as the site’s “wtswebstatuid” which was sent in the...

Responsive Menu < 4.0.4 - CSRF to Arbitrary File Upload

"Attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site." function submitRequest var xhr = new XMLHttpRequest;...