Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Arbitrary Code Injection vulnerability in xmlhttprequest and xmlhttprequest-ssl #151

Closed
derekbelrose opened this issue May 5, 2021 · 3 comments
Closed

Arbitrary Code Injection vulnerability in xmlhttprequest and xmlhttprequest-ssl #151

derekbelrose opened this issue May 5, 2021 · 3 comments
Labels
security

Comments

@derekbelrose
Copy link

derekbelrose commented May 5, 2021
edited
Loading

There is a CVE for xmlhttprequest and xmlhttprequest-ssl that is used in ember-fedora-adapter and ember. This is categorized as a critical arbitrary code injection vulnerability.

GitHub advisory: GHSA-h4j5-c7cj-74xg
Snyk: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937
Snyk (ssl): https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-28502

Recommendation is that we upgrade post 1.7.0 of xmlhttprequest and the latest xmlhttprequest-ssl
@birkland
Copy link

birkland commented May 5, 2021

GHSA-h4j5-c7cj-74xg

@derekbelrose
Copy link
Author

All versions of xmlhttprequest-ssl are vulnerable. There is an issue created here 12 days ago but no response from the dev. Project looks abandoned as nothing has been pushed/merged for +3 years.

@xiaomingX1
Copy link

0star...

@derekbelrose derekbelrose closed this as not planned Won't fix, can't repro, duplicate, stale Nov 30, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@derekbelrose @birkland @xiaomingX1