CVE-2020-19000: Cross Site Scripting (XSS) in Simiki
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.61467%
CWE
Published
9/1/2021
Updated
10/22/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
simiki | pip | <= 1.6.2.1 | 1.6.2.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two related issues in template handling: 1) The PageGenerator's HTML generation logic (generate
method) passes user-controlled input (like titles) to Jinja2
templates without proper escaping. 2) The root cause is the insecure initialization of the Jinja2
Environment in generators.py
(line 54 in vulnerable versions) where autoescaping is disabled by default. This combination allows attackers to inject arbitrary HTML/JS via user-controlled content like page titles. The GitHub issue #123 explicitly identifies the Jinja2
autoescape configuration as the XSS vector, and the CVE description pinpoints generators.py
line 54 as the vulnerable component.