CVE-2020-18705
Description
XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
quokkaPyPI | <= 0.4.0 | — |
Affected products
2- Quokka/Quokkadescription
Patches
Vulnerability mechanics
Root cause
"Missing sanitization of user-supplied title and author fields before embedding them into XML output allows XML External Entity injection."
Attack vector
An attacker with the ability to create or edit articles in the Quokka CMS admin interface can inject XML External Entity payloads into the `title` or `author` fields [ref_id=2]. When a victim (or automated feed reader) accesses the RSS or Atom feed at `/author/{author}/index.rss` or `/author/{author}/index.atom`, the unsanitized payload is embedded into the generated XML document [ref_id=2]. The XML parser then processes the external entity, which can exfiltrate local files or cause server-side request forgery [CWE-611].
Affected code
The vulnerability exists in `quokka/core/content/views.py` (line 94) and `quokka/utils/atom.py` (line 157) [ref_id=2]. These code paths process user-supplied `title` and `author` fields without filtering XML metacharacters, allowing injection of XML External Entity payloads [ref_id=2].
What the fix does
No patch or fix is published in the bundle. The repository was archived by the owner on Oct 1, 2020, and is now read-only [ref_id=2]. The advisory recommends filtering the `title` and `author` fields before they are inserted into XML output to prevent XXE injection [ref_id=2].
Preconditions
- authAttacker must have access to create or edit articles in the Quokka CMS admin interface
- configThe application must be running a version that processes RSS/Atom feed generation without sanitizing title/author fields
- inputAttacker must be able to supply XML entity payloads in the title or author fields
Reproduction
1. Log in to the Quokka admin interface and create a new article. 2. In the `title` or `author` field, insert an XML External Entity payload (e.g., `&xxe;` or a DOCTYPE entity referencing a local file). 3. Save the article. 4. Access the RSS or Atom feed at `http://
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4q2r-qxp6-h5j6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-18705ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/quokka/PYSEC-2021-145.yamlghsaWEB
- github.com/quokkaproject/quokka/pull/679ghsaWEB
- github.com/rochacbruno/quokka/issues/676ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.