Vulnerability Description
An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cross Domain Local Storage Project | Cross Domain Local Storage | <= 2.0.5 |
Related Weaknesses (CWE)
References
- https://github.com/ofirdagan/cross-domain-local-storageProduct
- https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#MExploitThird Party Advisory
- https://github.com/ofirdagan/cross-domain-local-storageProduct
- https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#MExploitThird Party Advisory
FAQ
What is CVE-2020-11610?
CVE-2020-11610 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() functi...
How severe is CVE-2020-11610?
CVE-2020-11610 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11610?
Check the references section above for vendor advisories and patch information. Affected products include: Cross Domain Local Storage Project Cross Domain Local Storage.