CVE-2020-11610

HIGH

Cross Domain Local Storage < 2.0.5 - Exposure to Wrong Actor

Title source: rule

Description

An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.

References (2)

[Product] https://github.com/ofirdagan/cross-domain-local-storage

View Writeup ZIP pw:eip

[Exploit, Third Party Advisory] https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Magic-iframe

Scores

CVSS v3 8.8

EPSS 0.0023

EPSS Percentile 45.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-668

Status published

Affected Products (2)

cross_domain_local_storage_project/cross_domain_local_storage < 2.0.5

npm/xdlocalstorage npm

Timeline

Published Apr 07, 2020

Tracked Since Feb 18, 2026