CVE-2020-11611
MEDIUMCross Domain Local Storage < 2.0.5 - Open Redirect
Title source: ruleDescription
An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages that the client sends.
References (2)
Core 2
Core References
Product, Third Party Advisory x_refsource_misc
https://github.com/ofirdagan/cross-domain-local-storage
Exploit, Third Party Advisory x_refsource_misc
https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Client
Scores
CVSS v3
6.1
EPSS
0.0026
EPSS Percentile
49.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (2)
cross_domain_local_storage_project/cross_domain_local_storage
< 2.0.5
npm/xdlocalstorage
0npm
Published
Apr 07, 2020
Tracked Since
Feb 18, 2026