CVE-2024-32472: Hardcoded Sandbox Allow Same Origin
Hardcoding 'allowSameOrigin: true' in a sandbox configuration object can lead to Stored XSS. If this configuration is used to render an embedded iframe, and the URL matching logic is weak (e.g., using unanchored Regex), an attacker can bypass the filters and execute scripts within the exact same origin. 'allowSameOrigin' should be computed dynamically by str
TSgreprules fetch cve-2024-32472-hardcoded-sandbox-allow-same-origin --engine opengrepDescription
Hardcoding 'allowSameOrigin: true' in a sandbox configuration object can lead to Stored XSS. If this configuration is used to render an embedded iframe, and the URL matching logic is weak (e.g., using unanchored Regex), an attacker can bypass the filters and execute scripts within the exact same origin. 'allowSameOrigin' should be computed dynamically by str
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0