mirror of
https://github.com/0xMarcio/cve.git
synced 2026-05-09 23:27:33 +02:00
0xMarcio
892 B
892 B
CVE-2020-11610
Description
An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.
POC
Reference
Github
No PoCs found on GitHub currently.