CVE-2015-9545

An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
cross_domain_local_storage_projectcross_domain_local_storage
𝑥
≤ 2.0.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/ofirdagan/cross-domain-local-storage
https://github.com/ofirdagan/cross-domain-local-storage/issues/17
https://github.com/ofirdagan/cross-domain-local-storage/pull/19
https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-Origin-Client
https://github.com/ofirdagan/cross-domain-local-storage
https://github.com/ofirdagan/cross-domain-local-storage/issues/17
https://github.com/ofirdagan/cross-domain-local-storage/pull/19
https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-Origin-Client