CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-9544
https://notcve.org/view.php?id=CVE-2015-9544
An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStoragePostMessageApi.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages. Se detectó un problema en xdLocalStorage versiones hasta 2.0.5. La función ReceiveMessage() en el archivo xdLocalStoragePostMessageApi.js no implementa ninguna comprobación del origen de los mensajes web. • https://github.com/ofirdagan/cross-domain-local-storage https://github.com/ofirdagan/cross-domain-local-storage/issues/17 https://github.com/ofirdagan/cross-domain-local-storage/pull/19 https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-Origin-Magic-iframe • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11610
https://notcve.org/view.php?id=CVE-2020-11610
An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends. Se detectó un problema en xdLocalStorage versiones hasta 2.0.5. La función postData() en el archivo xdLocalStoragePostMessageApi.js especifica el comodín (*) como targetOrigin cuando llama a la función postMessage() en el objeto primario. • https://github.com/ofirdagan/cross-domain-local-storage https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Magic-iframe • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11611
https://notcve.org/view.php?id=CVE-2020-11611
An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages that the client sends. Se detectó un problema en xdLocalStorage versiones hasta 2.0.5. La función buildMessage() en el archivo xdLocalStorage.js especifica el comodín (*) como targetOrigin cuando se llama a la función postMessage () en el objeto iframe. • https://github.com/ofirdagan/cross-domain-local-storage https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Client • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-9545
https://notcve.org/view.php?id=CVE-2015-9545
An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages. Se detectó un problema en xdLocalStorage versiones hasta 2.0.5. La función ReceiveMessage() en el archivo xdLocalStorage.js no implementa ninguna comprobación del origen de los mensajes web. • https://github.com/ofirdagan/cross-domain-local-storage https://github.com/ofirdagan/cross-domain-local-storage/issues/17 https://github.com/ofirdagan/cross-domain-local-storage/pull/19 https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-Origin-Client • CWE-20: Improper Input Validation •