CVE-2020-11610

HIGH Year: 2020
CVSS v3 Score
8.8
High
CVSS v2 Score
6.8
Medium
Weakness Type
CWE-668
View all →

Vulnerability Description

An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.

Related Vulnerabilities

CVE-2016-10840

HIGH
CVSS:8.8(High)

cPanel before 11.54.0.4 allows arbitrary code execution during locale duplication (SEC-72).

CWE-6682016

CVE-2017-0367

HIGH
CVSS:8.8(High)

Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure.

CWE-6682017

CVE-2017-15393

HIGH
CVSS:8.8(High)

Insufficient Policy Enforcement in Devtools remote debugging in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to obtain access to remote debugging functionality via a crafted HTML page...

CWE-6682017

CVE-2017-15592

HIGH
CVSS:8.8(High)

An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishand...

CWE-6682017

CVE-2018-20321

HIGH
CVSS:8.8(High)

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute admin...

CWE-6682018

CVE-2019-12274

HIGH
CVSS:8.8(High)

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain ...

CWE-6682019