CVE-2020-28502

Name of the Vulnerable Software and Affected Versions: xmlhttprequest versions prior to 1.7.0 xmlhttprequest-ssl all versions

Description: The issue arises when requests are sent synchronously, with async=False on xhr.open. If malicious user input flows into xhr.send, it could result in arbitrary code being injected and run.

Recommendations: For xmlhttprequest versions prior to 1.7.0, update to version 1.7.0 or later. For xmlhttprequest-ssl all versions, consider disabling the xhr.send function until a patch is available, and restrict access to the xhr.open method with async=False to minimize the risk of exploitation.