CVE-2020-13258
Description
Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Contentful Python example app through 2020-05-21 has a reflected XSS via the api parameter due to insufficient input sanitization.
The vulnerability is a reflected cross-site scripting (XSS) issue in the Contentful Python example application (the-example-app.py) as of May 21, 2020 [1]. The root cause lies in the query_string() function in routes/base.py, which constructs a query string from user-supplied parameters. While it rejects certain keys like space_id and delivery_token, it does not sanitize the values of other parameters, allowing arbitrary HTML/JavaScript to be injected [1].
An attacker can exploit this by crafting a URL with a malicious api parameter (or any non-rejected parameter) containing script payloads. For example, the proof-of-concept URL https://the-example-app-py.contentful.com/?cda'"&locale=de-DE triggers the XSS when a victim visits the link [1]. The injected payload is reflected in the page because the query_string output is used unsafely in template contexts like href="/courses/{{ course.slug }}{{ query_string }}" [1].
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the affected domain. This can lead to session hijacking, credential theft, or defacement. The attack requires no authentication and can be delivered via phishing or other social engineering [1][2].
As of the publication date (2020-05-21), no patch was available; the issue was reported via the project's GitHub issue tracker [1]. Users are advised to manually sanitize all user-controlled input in the query_string function or upgrade to a patched version if released. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contentfulPyPI | < 1.12.4 | 1.12.4 |
Affected products
3- Contentful/Contentful for Pythondescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `query_string()` function in `routes/base.py` concatenates user-supplied query parameter values into a raw string without HTML-escaping, and the result is injected directly into `href` attributes in Jinja templates, enabling reflected cross-site scripting [CWE-79] [ref_id=1]."
Attack vector
An attacker crafts a URL containing a malicious query parameter such as `api` with a JavaScript payload, e.g., `?cda'"
Affected code
The vulnerable function is `query_string()` in `routes/base.py` [ref_id=1]. It builds a query string by concatenating user-supplied parameter names and values without any HTML encoding, and the result is injected into `href` attributes across 13 template files (e.g., `views/course.dhtml`, `views/layout.dhtml`, `views/partials/breadcrumb.dhtml`) via `{{ query_string }}` [ref_id=1]. The function only rejects a hardcoded list of keys (`space_id`, `delivery_token`, `preview_token`, `editorial_features`) but does not sanitize the values of any other parameters [ref_id=1].
What the fix does
No patch is published in the supplied bundle. The advisory [ref_id=1] identifies the root cause: the `query_string()` function in `routes/base.py` builds a raw query string from user-supplied parameters without HTML-escaping the values before they are interpolated into `href` attributes in templates. The remediation would require either HTML-encoding the parameter values before concatenation, or using a parameterized/auto-escaped template mechanism that prevents raw user input from being interpreted as HTML.
Preconditions
- networkThe application must be running and publicly accessible.
- inputThe attacker must be able to craft a URL with arbitrary query parameters (no authentication required).
Reproduction
Visit a URL such as `https://the-example-app-py.contentful.com/?cda'"
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-g5j6-r3x9-gf2mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13258ghsaADVISORY
- github.com/contentful/the-example-app.py/issues/44ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.