CVE-2020-11611 – xdlocalstorage

Package

Manager: npm
Name: xdlocalstorage
Vulnerable Version: >=0 <=2.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00149 pctl0.36025

Details

Open Redirect in xdLocalStorage An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages that the client sends.

Metadata

Created: 2021-12-09T19:30:14Z
Modified: 2021-05-25T16:23:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-c6c4-jmqx-3r33/GHSA-c6c4-jmqx-3r33.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-c6c4-jmqx-3r33
Finding: F156
Auto approve: 1