Vulnerability Details CVE-2020-11611
An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages that the client sends.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 45.1%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 5.8
References
- https://github.com/ofirdagan/cross-domain-local-storage
- https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Client
- https://github.com/ofirdagan/cross-domain-local-storage
- https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Client
Products affected by CVE-2020-11611
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.1
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.10
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.11
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.12
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.2
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.3
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.4
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.5
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.6
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.7
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.8
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:1.0.9
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:2.0.0
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:2.0.1
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:2.0.2
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:2.0.3
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:2.0.4
-
cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:2.0.5