Reflected Cross Site-Scripting (XSS) in Oveleon Cookiebar
Moderate severity
GitHub Reviewed
Published
Jul 26, 2024
in
oveleon/contao-cookiebar
•
Updated Aug 5, 2024
Package
Affected versions
< 1.16.3
>= 2.0.0, < 2.1.3
Patched versions
1.16.3
2.1.3
Description
Published to the GitHub Advisory Database
Jul 26, 2024
Reviewed
Jul 26, 2024
Last updated
Aug 5, 2024
usd-2024-0009 | Reflected XSS in Oveleon Cookiebar
Details
Advisory ID: usd-2024-0009
Product: Cookiebar
Affected Version: 2.X
Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: HIGH, CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Vendor URL: https://www.usd.de/
CVE Number: Not requested yet
CVE Link: Not requested yet
Affected Component
The
block
function inCookiebarController.php
.Desciption
Oveleon's Cookiebar is an extension for the popular Contao CMS.
The
block/locale
endpoint does not properly sanitize the user-controlledlocale
input before including it in the backend's HTTP response, thereby causing reflected XSS.Fix
Sanitize the
locale
input to prevent XSS payloads from being executed in a user's browser.Timeline
2024-04-24: Vulnerability discovered by Daniel Ruppel of usd AG.
2024-07-25: Probable cause of the vulnerability has been identified as Oveleon's Cookiebar Extension for Contao CMS.
2024-07-25: Vulnerability disclosed via GitHub Vulnerability Report.
References