Skip to content
This repository has been archived by the owner on Oct 1, 2020. It is now read-only.

XML External Entity (XXE) Vulnerability in Latest Release #676

Open
HatBoy opened this issue Mar 21, 2019 · 1 comment
Open

XML External Entity (XXE) Vulnerability in Latest Release #676

HatBoy opened this issue Mar 21, 2019 · 1 comment

Comments

@HatBoy
Copy link

HatBoy commented Mar 21, 2019

Hi, I would like to report XML External Entity (XXE) vulnerability in latest release.
Description:
XML External Entity (XXE) vulnerability in quokka/utils/atom.py 157 line and auokka/core/content/views.py 94 line, Because there is no filter authors, title.
Steps To Reproduce:
1.Create a article, title and authors can insert XML payload.
2.Open the url:
http://192.168.100.8:8000/author/{author}/index.rss
http://192.168.100.8:8000/author/{author}/index.atom
can see the title and authors has inserted into the XML.
3
4
5

author by jin.dong@dbappsecurity.com.cn

@marcosptf
Copy link
Collaborator

was removed WIP from pr and fixed this issue:
hotfix ready to merge: please make your comments and reviews:
#679

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants