CVE-2020-11610

Опубликовано: 07 апр. 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.

Ссылки

https://github.com/ofirdagan/cross-domain-local-storage
Product
https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Magic-iframe
Exploit
Third Party Advisory
https://github.com/ofirdagan/cross-domain-local-storage
Product
https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Magic-iframe
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cross_domain_local_storage_project:cross_domain_local_storage:*:*:*:*:*:*:*:*

Версия до 2.0.5 (включая)

EPSS

Процентиль: 45%

0.00227

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-668

Связанные уязвимости

GHSA-mr5m-2385-2vcp