PT-2020-12724 · Xdlocalstorage · Xdlocalstorage

Grimhacker

Published

2020-04-07

Updated

2022-05-24

CVE-2020-11610

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions xdLocalStorage versions 2.0.5 and earlier

Description An issue was discovered in the postData() function in xdLocalStoragePostMessageApi.js, which specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. This allows any domain to load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.

Recommendations For versions 2.0.5 and earlier, consider disabling the postData() function in xdLocalStoragePostMessageApi.js until a patch is available to prevent any domain from receiving messages from the "magical iframe". Restrict access to the "magical iframe" to minimize the risk of exploitation. Avoid using the wildcard (*) as the targetOrigin in the postMessage() function to prevent unauthorized domains from receiving messages.

Exploit

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-668

Related Identifiers

CVE-2020-11610

GHSA-MR5M-2385-2VCP

Affected Products

Xdlocalstorage

PT-2020-12724 · Xdlocalstorage · Xdlocalstorage

CVE-2020-11610

Weakness Enumeration

Related Identifiers

Affected Products

References · 8