N/A

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain

N/A

N/A

CleverTap Web SDK 安全漏洞

CleverTap Web SDK是CleverTap开源的一个开发者工具包。 CleverTap Web SDK 1.15.2及之前版本存在安全漏洞，该漏洞源于Visual Builder模块中src/modules/visualBuilder/pageBuilder.js的来源验证使用includes方法检查originUrl是否包含dashboard.clevertap.com，可能导致基于DOM的跨站脚本攻击。

N/A

N/A