Miggo Logo
Miggo Vulnerability Database
CVE-2015-9545

CVE-2015-9545: Improper Input Validation in xdLocalStorage

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2015-9545
GHSA ID
GHSA-76qm-4f93-fg6f
EPSS Score
0.62676%
CWE
CWE-20
Published
12/9/2021
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
xdLocalStoragenpm<= 2.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two primary issues: 1) Missing origin validation in receiveMessage() functions (CWE-20), explicitly cited in CVE-2015-9545 and GHSA-76qm-4f93-fg6f. 2) Insecure use of wildcard targetOrigin in postMessage() calls (buildMessage and postData), as demonstrated in the GitHub pull request and blog post analysis. Both the client (xdLocalStorage.js) and magic iframe (xdLocalStoragePostMessageApi.js) components are affected. The lack of origin checks allows cross-domain message injection, while the wildcard targetOrigin enables data leakage to untrusted domains.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in x*Lo**lStor*** t*rou** *.*.*. T** r***iv*M*ss***() *un*tion in x*Lo**lStor***.js *o*s not impl*m*nt *ny v*li**tion o* t** ori*in o* w** m*ss***s. R*mot* *tt**k*rs w*o **n *nti** * us*r to lo** * m*li*ious sit* **n *xploit t

Reasoning

T** vuln*r**ility st*ms *rom two prim*ry issu*s: *) Missin* ori*in v*li**tion in `r***iv*M*ss***()` *un*tions (*W*-**), *xpli*itly *it** in *V*-****-**** *n* **S*-**qm-****-****. *) Ins**ur* us* o* wil***r* `t*r**tOri*in` in `postM*ss***()` **lls (*u