CVE-2015-9543

Current Description

An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStoragePostMessageApi.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.

Basic Data

PublishedApril 07, 2020
Last ModifiedApril 08, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-20
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score5.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score4.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationCross Domain Local Storage ProjectCross Domain Local Storage********2.0.5

Vulnerable Software List

VendorProductVersions
Cross Domain Local Storage Project Cross Domain Local Storage *

References

NameSourceURLTags
https://github.com/ofirdagan/cross-domain-local-storagehttps://github.com/ofirdagan/cross-domain-local-storageMISCProduct Third Party Advisory
https://github.com/ofirdagan/cross-domain-local-storage/issues/17https://github.com/ofirdagan/cross-domain-local-storage/issues/17MISCPatch Third Party Advisory
https://github.com/ofirdagan/cross-domain-local-storage/pull/19https://github.com/ofirdagan/cross-domain-local-storage/pull/19MISCPatch Third Party Advisory
https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-Origin-Magic-iframehttps://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-Origin-Magic-MISCExploit Third Party Advisory