CVE-2024-47069

Oveleon Cookie Bar is a cookie bar is for the Contao Open Source CMS and allows a visitor to define cookie & privacy settings for the website. Prior to versions 1.16.3 and 2.1.3, the `block/locale` endpoint does not properly sanitize the user-controlled `locale` input before including it in the backend's HTTP response, thereby causing reflected cross-site scripting. Versions 1.16.3 and 2.1.3 contain a patch for the vulnerability.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:oveleon:cookiebar:*:*:*:*:*:cantao:*:*
cpe:2.3:a:oveleon:cookiebar:*:*:*:*:*:cantao:*:*

History

30 Sep 2024, 13:40

Type Values Removed Values Added
References () https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html - () https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html - Technical Description
References () https://github.com/oveleon/contao-cookiebar/blob/2.x/src/Controller/CookiebarController.php - () https://github.com/oveleon/contao-cookiebar/blob/2.x/src/Controller/CookiebarController.php - Product
References () https://github.com/oveleon/contao-cookiebar/commit/1d57470be5878f66d5e1e23f624dd387564b9b8d - () https://github.com/oveleon/contao-cookiebar/commit/1d57470be5878f66d5e1e23f624dd387564b9b8d - Patch
References () https://github.com/oveleon/contao-cookiebar/security/advisories/GHSA-296q-rj83-g9rq - () https://github.com/oveleon/contao-cookiebar/security/advisories/GHSA-296q-rj83-g9rq - Exploit, Vendor Advisory
First Time Oveleon cookiebar
Oveleon
CPE cpe:2.3:a:oveleon:cookiebar:*:*:*:*:*:cantao:*:*

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Oveleon Cookie Bar es una barra de cookies para el CMS de código abierto Contao y permite que un visitante defina la configuración de privacidad y cookies para el sitio web. Antes de las versiones 1.16.3 y 2.1.3, el punto de conexión `block/locale` no desinfecta correctamente la entrada `locale` controlada por el usuario antes de incluirla en la respuesta HTTP del backend, lo que provoca un error de cross-site scripting reflejado. Las versiones 1.16.3 y 2.1.3 contienen un parche para la vulnerabilidad.

23 Sep 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-23 16:15

Updated : 2024-09-30 13:40


NVD link : CVE-2024-47069

Mitre link : CVE-2024-47069

CVE.ORG link : CVE-2024-47069


JSON object : View

Products Affected

oveleon

  • cookiebar
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')