Miggo Logo

CVE-2020-18702: Cross Site Scripting (XSS) in Quokka

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.60247%
Published
8/30/2021
Updated
10/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
quokkapip<= 0.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references the 'Username' parameter in quokka/admin/actions.py as the injection point. While exact function names aren't provided, XSS vulnerabilities typically occur in input handling functions that directly render user input without sanitization. The file path and parameter name strongly indicate that user registration/management functions in this file lack proper output encoding when processing the username value.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) in Quokk* v*.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* t** 'Us*rn*m*' p*r*m*t*r in t** *ompon*nt 'quokk*/**min/**tions.py'.

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s t** 'Us*rn*m*' p*r*m*t*r in `quokk*/**min/**tions.py` *s t** inj**tion point. W*il* *x**t *un*tion n*m*s *r*n't provi***, XSS vuln*r**iliti*s typi**lly o**ur in input **n*lin* *un*tions t**t *ir**tly r*n**r us*