Miggo Logo
Miggo Vulnerability Database
CVE-2020-18702

CVE-2020-18702:
Cross Site Scripting (XSS) in Quokka

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-18702
GHSA ID
GHSA-5m69-3chg-6f8m
EPSS Score
0.60247%
CWE
CWE-79
Published
8/30/2021
Updated
10/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
quokkapip<= 0.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references the 'Username' parameter in quokka/admin/actions.py as the injection point. While exact function names aren't provided, XSS vulnerabilities typically occur in input handling functions that directly render user input without sanitization. The file path and parameter name strongly indicate that user registration/management functions in this file lack proper output encoding when processing the username value.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) in Quokk* v*.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* t** 'Us*rn*m*' p*r*m*t*r in t** *ompon*nt 'quokk*/**min/**tions.py'.

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s t** 'Us*rn*m*' p*r*m*t*r in `quokk*/**min/**tions.py` *s t** inj**tion point. W*il* *x**t *un*tion n*m*s *r*n't provi***, XSS vuln*r**iliti*s typi**lly o**ur in input **n*lin* *un*tions t**t *ir**tly r*n**r us*