VDB
KO
MEDIUM 4.3

GHSA-jxj7-g6gm-49j7

tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies

Details

### Summary

tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie.

### Details

`tarteaucitron.cookie.purge()` is called on any element with the `purgeBtn` class. It does not check if the element is a legitimate tarteaucitron button or if the cookie corresponds to a service handled by tarteaucitron.

### PoC

```html <a class="purgeBtn" data-cookie="foo">Click me!</a> ```

If someone has a cookie with this name and clicks on the link, the cookie is silently deleted.

### Impact

The impact is limited because this only works on cookies without HttpOnly=true and the attacker has to know the name of the cookie.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / tarteaucitronjs
Introduced in: 0 Fixed in: 1.33.0
Fix npm install tarteaucitronjs@1.33.0

References