CVEs-PoC/2020/CVE-2020-28502.md

### [CVE-2020-28502](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28502)
![](https://img.shields.io/static/v1?label=Product&message=xmlhttprequest&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=xmlhttprequest-ssl&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%201.7.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%200%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Arbitrary%20Code%20Injection&color=brighgreen)

### Description

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

### POC

#### Reference
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/dpredrag/CVE-2020-28502
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/s-index/CVE-2020-28502
- https://github.com/s-index/poc-list