Miggo Logo
Miggo Vulnerability Database
CVE-2020-13258

CVE-2020-13258: Cross-site scripting in Contentful

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-13258
GHSA ID
GHSA-g5j6-r3x9-gf2m
EPSS Score
0.84561%
CWE
CWE-79
Published
6/18/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
contentfulpip< 1.12.41.12.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability exists in the query_string() function which takes raw user input from request.args and constructs a query string without any HTML escaping. This unsanitized output is then used in multiple template href attributes ({{ query_string }}), allowing injection of JavaScript via parameters. The function's direct handling of untrusted input without validation or encoding makes it the primary vulnerable component. Runtime detection would show this function processing malicious parameters like the 'api' payload before they're reflected in responses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ont*nt*ul t*rou** ****-**-** *or Pyt*on *llows r**l**t** XSS, *s **monstr*t** *y t** *pi p*r*m*t*r to t**-*x*mpl*-*pp.py.

Reasoning

T** *or* vuln*r**ility *xists in t** qu*ry_strin*() *un*tion w*i** t*k*s r*w us*r input *rom r*qu*st.*r*s *n* *onstru*ts * qu*ry strin* wit*out *ny *TML *s**pin*. T*is uns*nitiz** output is t**n us** in multipl* t*mpl*t* *r** *ttri*ut*s ({{ qu*ry_str