CVE-2020-28502 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-28502 PUBLISHED

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

EPSS 17.40% · 95.0th percentile

Risk Scores

EPSS Score

17.40%

95.0th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	node-xmlhttprequest	0, 1.6.0-1
Ubuntu:18.04:LTS	node-xmlhttprequest	0, 1.6.0-1
Ubuntu:20.04:LTS	node-xmlhttprequest-ssl	1.6.0-1, 0
Ubuntu:18.04:LTS	node-xmlhttprequest-ssl	0, 1.6.0-1

Timeline

Mar 5, 2021 CVE Published
Apr 14, 2021 EPSS Score
May 13, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Feb 25, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Aug 31, 2022 EPSS Score
Nov 1, 2022 EPSS Score
Mar 5, 2023 EPSS Score
Mar 7, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2020-28502 third-party-advisory
https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935 third-party-advisory
https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936 third-party-advisory
https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480 third-party-advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937 third-party-advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-28502 third-party-advisory

Open in Interactive Console →