CVE-2020-18702
Description
Cross Site Scripting (XSS) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the 'Username' parameter in the component 'quokka/admin/actions.py'.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
quokkaPyPI | <= 0.4.0 | — |
Affected products
2- Quokka/Quokkadescription
Patches
Vulnerability mechanics
Root cause
"Missing output encoding of the `username` parameter before it is passed to `Markup()` in `quokka/admin/actions.py`, allowing injected HTML/JavaScript to be rendered in the browser."
Attack vector
An attacker with the ability to create a user can set the `Username` field to a JavaScript payload such as `
Affected code
The vulnerability resides in `quokka/admin/actions.py` at lines 90 and 151 [ref_id=2]. The code constructs a `flash()` message using `Markup()` with the unsanitized `user["username"]` value interpolated directly into an HTML string [ref_id=2].
What the fix does
No patch or fix has been published for this vulnerability; the repository was archived by the owner on October 1, 2020, and is now read-only [ref_id=2]. The advisory recommends filtering or escaping the `username` parameter before it is used in the `Markup()` call to prevent XSS [ref_id=2].
Preconditions
- authAttacker must be able to create a user account (or modify the username) in the Quokka admin interface.
- inputThe attacker's username must contain a JavaScript payload (e.g. ).
- inputAn admin or user must trigger the 'Create user profile block' action on the crafted username.
Reproduction
1. Log in to the Quokka admin interface. 2. Create a new user with a username containing an XSS payload, e.g. `
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-5m69-3chg-6f8mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-18702ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-143.yamlghsaWEB
- github.com/rochacbruno/quokka/issues/675ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.