CVE-2024-47069
MEDIUMOveleon Cookie Bar < 1.16.3 - Reflected Cross-Site Scripting via Locale Parameter
Title source: llmDescription
Oveleon Cookie Bar is a cookie bar is for the Contao Open Source CMS and allows a visitor to define cookie & privacy settings for the website. Prior to versions 1.16.3 and 2.1.3, the `block/locale` endpoint does not properly sanitize the user-controlled `locale` input before including it in the backend's HTTP response, thereby causing reflected cross-site scripting. Versions 1.16.3 and 2.1.3 contain a patch for the vulnerability.
References (4)
Core 4
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/oveleon/contao-cookiebar/security/advisories/GHSA-296q-rj83-g9rq
Patch x_refsource_misc
https://github.com/oveleon/contao-cookiebar/commit/1d57470be5878f66d5e1e23f624dd387564b9b8d
Technical Description x_refsource_misc
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Product x_refsource_misc
https://github.com/oveleon/contao-cookiebar/blob/2.x/src/Controller/CookiebarController.php
Scores
CVSS v3
6.1
EPSS
0.0042
EPSS Percentile
34.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
oveleon/contao-cookiebar
0 - 1.16.3Packagist
oveleon/cookiebar
< 1.16.3
Published
Sep 23, 2024
Tracked Since
Feb 18, 2026