marcosptf
commented
5 years ago was removed WIP from pr and fixed this issue: hotfix ready to merge: please make your comments and reviews: https://github.com/rochacbruno/quokka/pull/679
Open HatBoy opened 5 years ago
marcosptf
commented
5 years ago was removed WIP from pr and fixed this issue: hotfix ready to merge: please make your comments and reviews: https://github.com/rochacbruno/quokka/pull/679
Hi, I would like to report XML External Entity (XXE) vulnerability in latest release. Description: XML External Entity (XXE) vulnerability in quokka/utils/atom.py 157 line and auokka/core/content/views.py 94 line, Because there is no filter authors, title. Steps To Reproduce: 1.Create a article, title and authors can insert XML payload. 2.Open the url: http://192.168.100.8:8000/author/{author}/index.rss http://192.168.100.8:8000/author/{author}/index.atom can see the title and authors has inserted into the XML.
author by jin.dong@dbappsecurity.com.cn