Miggo Logo

CVE-2020-11610: xdlocalstorage does not verify request origin

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.40028%
Published
5/24/2022
Updated
7/17/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
xdlocalstoragenpm<= 2.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description and CVE-2020-11610 explicitly identify the postData() function in xdLocalStoragePostMessageApi.js as the root cause. The function's use of '*' in postMessage() removes origin validation, allowing any domain to intercept messages. This matches the CWE-668 (Exposure of Resource to Wrong Sphere) classification. Code examples from GrimHacker's analysis confirm the wildcard usage in this function. While other functions like buildMessage() in xdLocalStorage.js also use insecure patterns, the primary vulnerability described in the CVE/GHSA focuses specifically on the magic iframe's postData implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in x*Lo**lStor*** t*rou** *.*.*. T** `post**t*()` *un*tion in `x*Lo**lStor***PostM*ss****pi.js` sp**i*i*s t** wil***r* (`*`) *s t** t*r**tOri*in w**n **llin* t** `postM*ss***()` *un*tion on t** p*r*nt o*j**t. T**r**or* *ny *om

Reasoning

T** vuln*r**ility **s*ription *n* *V*-****-***** *xpli*itly i**nti*y t** `post**t*()` *un*tion in `x*Lo**lStor***PostM*ss****pi.js` *s t** root **us*. T** *un*tion's us* o* '*' in `postM*ss***()` r*mov*s ori*in v*li**tion, *llowin* *ny *om*in to int*