CVE-2015-9545
HIGHCross Domain Local Storage < 2.0.5 - Improper Input Validation
Title source: ruleDescription
An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/ofirdagan/cross-domain-local-storage/issues/17
Patch, Third Party Advisory x_refsource_misc
https://github.com/ofirdagan/cross-domain-local-storage/pull/19
Product, Third Party Advisory x_refsource_misc
https://github.com/ofirdagan/cross-domain-local-storage
Exploit, Third Party Advisory x_refsource_misc
https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-Origin-Client
Scores
CVSS v3
7.1
EPSS
0.0045
EPSS Percentile
63.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (2)
cross_domain_local_storage_project/cross_domain_local_storage
< 2.0.5
npm/xdlocalstorage
0npm
Published
Apr 07, 2020
Tracked Since
Feb 18, 2026