CVE-2020-18703

An attacker first creates an article via the admin interface and inserts an XML External Entity payload into the `title` or `authors` field [ref_id=2]. When a victim or automated parser accesses the RSS or Atom feed endpoints — e.g., `/author/{author}/index.rss` or `/author/{author}/index.atom` — the unsanitized payload is embedded into the XML output [ref_id=2]. An XML parser processing that feed may then resolve the external entity, leading to file disclosure, SSRF, or other impacts [CWE-611].

The vulnerability exists in `quokka/utils/atom.py` (line 157) and `quokka/core/content/views.py` (line 94) [ref_id=2]. These files construct XML output without filtering or sanitizing the `authors` and `title` fields, allowing attacker-controlled content to be placed directly into the generated XML document [ref_id=2].

No patch is available in the bundle; the repository was archived on October 1, 2020 and is now read-only [ref_id=2]. The advisory recommends filtering the `authors` and `title` fields before they are inserted into XML output [ref_id=2]. Without a fix, any XML parser consuming the generated RSS or Atom feeds remains vulnerable to XXE attacks [CWE-611].

1. Log in to the Quokka admin interface and create a new article. 2. In the `title` or `authors` field, insert an XXE payload such as `&xxe;` (after defining the entity in the XML prolog if possible, or using a payload that the XML parser will interpret). 3. Save the article. 4. Visit the RSS or Atom feed URL, e.g., `http://192.168.100.8:8000/author/{author}/index.rss` or `http://192.168.100.8:8000/author/{author}/index.atom` [ref_id=2]. 5. Observe that the injected XML entity is present in the feed output, confirming the XXE vulnerability [ref_id=2].