usd-2024-0009 | Reflected XSS in Oveleon Cookiebar

Advisory ID: usd-2024-0009
Product: Cookiebar
Affected Version: <1.16.2
Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: HIGH, CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Vendor URL: https://www.oveleon.de/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2024-47069 
CVE Link: CVE-2024-47069

Affected Component

The block function in CookiebarController.php.

Desciption

Oveleon's Cookiebar is an extension for the popular Contao CMS.
The block/locale endpoint does not properly sanitize the user-controlled locale input before including it in the backend's HTTP response, thereby causing reflected XSS.

Proof of Concept

The vulnerability could be triggered by entering the following Link:

https://[redacted].de/cookiebar/block/dens82w%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Ew9qt]()n/[id]?redirect=https%3A%2F%2Fwww.youtube.com%2F[...]%3D1%26amp%3Brel%3D0

It is related to the following function in the Oveleon Cookiebar source code:

/**
* Block content
*
* @Route("/cookiebar/block/{locale}/{id}", name="cookiebar_block")
*/
public function block(Request $request, string $locale, int $id): Response
{
System::loadLanguageFile('tl_cookiebar', $locale);

 

$this->framework->initialize();

 

$objCookie = CookieModel::findById($id);

 

if (null === $objCookie || null === $request->headers->get('referer'))
{
throw new PageNotFoundException();
}

 

$strUrl = $request->get('redirect');

 

// Protect against XSS attacks
if(!Validator::isUrl($strUrl))
{
return new Response('The redirect destination must be a valid URL.', Response::HTTP_BAD_REQUEST);
}

 

$objTemplate = new FrontendTemplate($objCookie->blockTemplate ?: 'ccb_element_blocker');

 

$objTemplate->language = $locale;
$objTemplate->id = $objCookie->id;
$objTemplate->title = $objCookie->title;
$objTemplate->type = $objCookie->type;
$objTemplate->iframeType = $objCookie->iframeType;
$objTemplate->description = $objCookie->blockDescription;
$objTemplate->redirect = $request->get('redirect');
$objTemplate->acceptAndDisplayLabel =
$this->translator->trans('tl_cookiebar.acceptAndDisplayLabel', [], 'contao_default', $locale);

 

return $objTemplate->getResponse();
}

 

Fix

Sanitize the locale input to prevent XSS payloads from being executed in a user's browser.

References

Timeline

  • 2024-04-24: Vulnerability discovered by DR of usd AG.
  • 2024-07-25: Probable cause of the vulnerability has been identified as Oveleon's Cookiebar Extension for Contao CMS.
  • 2024-07-25: Vulnerability disclosed via GitHub Vulnerability Report.
  • 2024-07-26: Vulnerability patched by Oveleon and GitHub advisory published.

Credits

This security vulnerability was identified by DR of usd AG.