4 matches found
CVE-2020-11610
CVE-2020-11610 affects xdLocalStorage up to version 2.0.5. The root cause is in the postData() function of xdLocalStoragePostMessageApi.js, which calls postMessage() on the parent with targetOrigin set to the wildcard (*) instead of a specific origin. This allows any domain to load the applicatio...
CVE-2015-9545
The CVE-2015-9545 issue affects xdLocalStorage up to version 2.0.5, where receiveMessage() in xdLocalStorage.js does not validate the origin of web messages. This missing origin validation can allow remote attackers to entice a user to load a malicious site and exploit web messages to affect the ...
CVE-2015-9544
CVE-2015-9544 affects xdLocalStorage up to version 2.0.5. The postMessage API (xdLocalStoragePostMessageApi.js) does not validate the origin of received web messages, enabling remote attackers who lure a user to a malicious site to read/alter data in local storage of the vulnerable site. Impact s...
CVE-2020-11611
CVE-2020-11611 affects xdLocalStorage up to version 2.0.5. The issue is in buildMessage() in xdLocalStorage.js, which uses wildcard (*) as targetOrigin when postMessage() is called on the iframe. This allows any domain loaded in the iframe to receive the messages, enabling cross-domain disclosure...