Miggo Logo
Miggo Vulnerability Database
CVE-2020-18705

CVE-2020-18705:
Improper Restriction of XML External Entity Reference in Quokka

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-18705
GHSA ID
GHSA-4q2r-qxp6-h5j6
EPSS Score
0.84908%
CWE
CWE-611
Published
8/30/2021
Updated
10/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
quokkapip<= 0.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability reports explicitly reference XML processing in quokka/core/content/views.py and quokka/utils/atom.py. XXE vulnerabilities typically occur when: 1) Untrusted input is incorporated into XML documents 2) XML parsers are configured to resolve external entities. The line numbers mentioned in Issue #676 (views.py:94 and atom.py:157) suggest these functions handle feed generation. The attack vector via author/index.rss endpoints and the lack of input sanitization mentioned in the issue confirm these are the entry points where user-controlled data enters XML processing without proper restrictions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

XML *xt*rn*l *ntiti*s (XX*) in Quokk* v*.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* t** *ompon*nt 'quokk*/*or*/*ont*nt/vi*ws.py'.

Reasoning

T** vuln*r**ility r*ports *xpli*itly r***r*n** XML pro**ssin* in `quokk*/*or*/*ont*nt/vi*ws.py` *n* `quokk*/utils/*tom.py`. XX* vuln*r**iliti*s typi**lly o**ur w**n: *) Untrust** input is in*orpor*t** into XML *o*um*nts *) XML p*rs*rs *r* *on*i*ur**