CVE-2020-11610

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-11610

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11610.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-11610

Aliases

GHSA-mr5m-2385-2vcp

Published

2020-04-07T18:15:13Z

Modified

2025-01-08T06:10:00.778186Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.

References

Affected packages

Git / github.com/ofirdagan/cross-domain-local-storage

Affected ranges

Type: GIT
Repo: https://github.com/ofirdagan/cross-domain-local-storage
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

9c01ec482e063f6dabbca52d4dcf77adf85c2eee

Affected versions

1.*

1.0.1

1.0.10

1.0.11

1.0.12

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5