{"id":23625,"date":"2024-10-30T10:21:20","date_gmt":"2024-10-30T09:21:20","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2024-0009\/"},"modified":"2024-11-08T16:03:13","modified_gmt":"2024-11-08T15:03:13","slug":"usd-2024-0009","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2024-0009\/","title":{"rendered":"usd-2024-0009"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.2\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2024-0009 | Reflected XSS in Oveleon Cookiebar<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2024-0009
Product<\/strong>: Cookiebar
Affected Version<\/strong>: <1.16.2
Vulnerability Type<\/strong>: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk<\/strong>: HIGH, CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:A\/VC:N\/VI:L\/VA:N\/SC:L\/SI:L\/SA:N
Vendor URL<\/strong>: https:\/\/www.oveleon.de\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2024-47069\u00a0
CVE Link:\u00a0<\/strong>CVE-2024-47069<\/a><\/p>\n

Affected Component<\/h3>\n

The block<\/strong> function in CookiebarController.php<\/strong>.<\/p>\n

Desciption<\/h3>\n

Oveleon's Cookiebar is an extension for the popular Contao CMS.
The block\/locale<\/strong> endpoint does not properly sanitize the user-controlled locale<\/strong> input before including it in the backend's HTTP response, thereby causing reflected XSS.<\/p>\n

Proof of Concept<\/h3>\n

The vulnerability could be triggered by entering the following Link:<\/p>\n

https:\/\/[redacted].de\/cookiebar\/block\/dens82w%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Ew9qt]()n\/[id]?redirect=https%3A%2F%2Fwww.youtube.com%2F[...]%3D1%26amp%3Brel%3D0<\/pre>\n
It is related to the following function in the Oveleon Cookiebar source code:<\/p>\n
\n
\n
 <\/span>\/**<\/span><\/div>\n
 * Block content<\/span><\/div>\n
 *<\/span><\/div>\n
 * @Route(\"\/cookiebar\/block\/{locale}\/{id}\", name=\"cookiebar_block\")<\/span><\/div>\n
 *\/<\/span><\/div>\n
 <\/span>public<\/span> <\/span>function<\/span> block<\/span>(<\/span>Request<\/span> <\/span>$request,<\/span> <\/span>string<\/span> <\/span>$locale,<\/span> <\/span>int<\/span> <\/span>$id)<\/span>:<\/span> <\/span>Response<\/span><\/div>\n
 <\/span>{<\/span><\/div>\n
 <\/span>System<\/span>::<\/span>loadLanguageFile<\/span>(<\/span>'tl_cookiebar'<\/span>,<\/span> <\/span>$locale);<\/span><\/div>\n
 <\/p>\n
 <\/span>$<\/span>this<\/span>->framework-><\/span>initialize<\/span>();<\/span><\/div>\n
 <\/p>\n
 <\/span>$objCookie<\/span> <\/span>=<\/span> <\/span>CookieModel<\/span>::<\/span>findById<\/span>($id);<\/span><\/div>\n
 <\/p>\n
 <\/span>if<\/span> <\/span>(<\/span>null<\/span> <\/span>===<\/span> <\/span>$objCookie<\/span> <\/span>||<\/span> <\/span>null<\/span> <\/span>===<\/span> <\/span>$request->headers-><\/span>get<\/span>(<\/span>'referer'<\/span>))<\/span><\/div>\n
 <\/span>{<\/span><\/div>\n
 <\/span>throw<\/span> <\/span>new<\/span> <\/span>PageNotFoundException<\/span>();<\/span><\/div>\n
 <\/span>}<\/span><\/div>\n
 <\/p>\n
 <\/span>$strUrl<\/span> <\/span>=<\/span> <\/span>$request-><\/span>get<\/span>(<\/span>'redirect'<\/span>);<\/span><\/div>\n
 <\/p>\n
 <\/span>\/\/ Protect against XSS attacks<\/span><\/div>\n
 <\/span>if<\/span>(<\/span>!<\/span>Validator<\/span>::<\/span>isUrl<\/span>($strUrl))<\/span><\/div>\n
 <\/span>{<\/span><\/div>\n
 <\/span>return<\/span> <\/span>new<\/span> <\/span>Response<\/span>(<\/span>'The redirect destination must be a valid URL.'<\/span>,<\/span> <\/span>Response<\/span>::<\/span>HTTP_BAD_REQUEST<\/span>);<\/span><\/div>\n
 <\/span>}<\/span><\/div>\n
 <\/p>\n
 <\/span>$objTemplate<\/span> <\/span>=<\/span> <\/span>new<\/span> <\/span>FrontendTemplate<\/span>($objCookie->blockTemplate<\/span> <\/span>?:<\/span> <\/span>'ccb_element_blocker'<\/span>);<\/span><\/div>\n
 <\/p>\n
 <\/span>$objTemplate->language<\/span> <\/span>=<\/span> <\/span>$locale;<\/span><\/div>\n
 <\/span>$objTemplate->id<\/span> <\/span>=<\/span> <\/span>$objCookie->id;<\/span><\/div>\n
 <\/span>$objTemplate->title<\/span> <\/span>=<\/span> <\/span>$objCookie->title;<\/span><\/div>\n
 <\/span>$objTemplate->type<\/span> <\/span>=<\/span> <\/span>$objCookie->type;<\/span><\/div>\n
 <\/span>$objTemplate->iframeType<\/span> <\/span>=<\/span> <\/span>$objCookie->iframeType;<\/span><\/div>\n
 <\/span>$objTemplate->description<\/span> <\/span>=<\/span> <\/span>$objCookie->blockDescription;<\/span><\/div>\n
 <\/span>$objTemplate->redirect<\/span> <\/span>=<\/span> <\/span>$request-><\/span>get<\/span>(<\/span>'redirect'<\/span>);<\/span><\/div>\n
 <\/span>$objTemplate->acceptAndDisplayLabel<\/span> <\/span>=<\/span> <\/span><\/div>\n
 $<\/span>this<\/span>->translator-><\/span>trans<\/span>(<\/span>'tl_cookiebar.acceptAndDisplayLabel'<\/span>,<\/span> <\/span>[],<\/span> <\/span>'contao_default'<\/span>,<\/span> <\/span>$locale);<\/span><\/div>\n
 <\/p>\n
 <\/span>return<\/span> <\/span>$objTemplate-><\/span>getResponse<\/span>();<\/span><\/div>\n
 <\/span>}<\/span><\/div>\n<\/div>\n<\/div>\n
 <\/p>\n
Fix<\/h3>\n
Sanitize the locale<\/strong> input to prevent XSS payloads from being executed in a user's browser.<\/p>\n
References<\/h3>\n