xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection
Critical severity
GitHub Reviewed
Published
May 4, 2021
to the GitHub Advisory Database
•
Updated Nov 29, 2023
Description
Published by the National Vulnerability Database
Mar 5, 2021
Reviewed
Mar 18, 2021
Published to the GitHub Advisory Database
May 4, 2021
Last updated
Nov 29, 2023
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (
async=False
onxhr.open
), malicious user input flowing intoxhr.send
could result in arbitrary code being injected and run.References