Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-296q-rj83-g9rq: Reflected Cross Site-Scripting (XSS) in Oveleon Cookiebar

usd-2024-0009 | Reflected XSS in Oveleon Cookiebar

Details

Advisory ID: usd-2024-0009 Product: Cookiebar
Affected Version: 2.X
Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Security Risk: HIGH, CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Vendor URL: https://www.usd.de/
CVE Number: Not requested yet
CVE Link: Not requested yet

Affected Component

The block function in CookiebarController.php.

Desciption

Oveleon’s Cookiebar is an extension for the popular Contao CMS. The block/locale endpoint does not properly sanitize the user-controlled locale input before including it in the backend’s HTTP response, thereby causing reflected XSS.

Fix

Sanitize the locale input to prevent XSS payloads from being executed in a user’s browser.

Timeline

  • 2024-04-24: Vulnerability discovered by Daniel Ruppel of usd AG.

  • 2024-07-25: Probable cause of the vulnerability has been identified as Oveleon’s Cookiebar Extension for Contao CMS.

  • 2024-07-25: Vulnerability disclosed via GitHub Vulnerability Report.

ghsa
#xss#vulnerability#web#git#php#perl
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-296q-rj83-g9rq

Reflected Cross Site-Scripting (XSS) in Oveleon Cookiebar

Moderate severity GitHub Reviewed Published Jul 26, 2024 in oveleon/contao-cookiebar • Updated Jul 26, 2024

Package

composer oveleon/contao-cookiebar (Composer)

Affected versions

< 1.16.3

>= 2.0.0, < 2.1.3

Patched versions

1.16.3

2.1.3

usd-2024-0009 | Reflected XSS in Oveleon Cookiebar****Details

Advisory ID: usd-2024-0009
Product: Cookiebar
Affected Version: 2.X
Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Security Risk: HIGH, CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Vendor URL: https://www.usd.de/
CVE Number: Not requested yet
CVE Link: Not requested yet

Affected Component

The block function in CookiebarController.php.

Desciption

Oveleon’s Cookiebar is an extension for the popular Contao CMS.
The block/locale endpoint does not properly sanitize the user-controlled locale input before including it in the backend’s HTTP response, thereby causing reflected XSS.

Fix

Sanitize the locale input to prevent XSS payloads from being executed in a user’s browser.

Timeline

  • 2024-04-24: Vulnerability discovered by Daniel Ruppel of usd AG.

  • 2024-07-25: Probable cause of the vulnerability has been identified as Oveleon’s Cookiebar Extension for Contao CMS.

  • 2024-07-25: Vulnerability disclosed via GitHub Vulnerability Report.

References

  • GHSA-296q-rj83-g9rq
  • oveleon/contao-cookiebar@1d57470
  • https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
  • https://github.com/oveleon/contao-cookiebar/blob/2.x/src/Controller/CookiebarController.php

Published to the GitHub Advisory Database

Jul 26, 2024

Last updated

Jul 26, 2024

ghsa: Latest News

GHSA-pj33-75x5-32j4: RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission