CVE-2020-11610: xdlocalstorage does not verify request origin
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.40028%
CWE
Published
5/24/2022
Updated
7/17/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
xdlocalstorage | npm | <= 2.0.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description and CVE-2020-11610 explicitly identify the postData()
function in xdLocalStoragePostMessageApi.js
as the root cause. The function's use of '*' in postMessage()
removes origin validation, allowing any domain to intercept messages. This matches the CWE-668 (Exposure of Resource to Wrong Sphere) classification. Code examples from GrimHacker's analysis confirm the wildcard usage in this function. While other functions like buildMessage()
in xdLocalStorage.js
also use insecure patterns, the primary vulnerability described in the CVE/GHSA focuses specifically on the magic iframe's postData
implementation.