Synopsis: The package xmlhttprequest before 1.7.0 had vulnerability occurs. The CVE-2020-28502 was published on 5th March, 2021.
Background: node-XMLHttpRequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object.
This can be used with JS designed for browsers to improve reuse of code and allow the use of existing libraries.
Vulnerability details: This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Official details: https://nvd.nist.gov/vuln/detail/CVE-2020-28502
Current status: There is no fixed version for org.webjars.npm:xmlhttprequest-ssl.
Hints: Enhance preventive and detective control.Using something like filter (example ^\w+) base on speical chars will be allowed. Such as regular expression.