CVE-2020-18705
📋 TL;DR
This CVE describes an XML External Entity (XXE) vulnerability in Quokka CMS v0.4.0 that allows remote attackers to execute arbitrary code by exploiting improper XML parsing in the content views component. Attackers can read sensitive files, perform server-side request forgery, or execute commands on the server. Any system running the vulnerable Quokka version with XML processing enabled is affected.
💻 Affected Systems
- Quokka CMS
📦 What is this software?
Quokka by Quokka Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
File disclosure of sensitive system files, potential server-side request forgery attacks, and denial of service.
If Mitigated
Limited impact with proper XML parser configuration and network segmentation, potentially only file read access.
🎯 Exploit Status
XXE vulnerabilities are well-understood with many public exploit techniques. The GitHub issue shows proof of concept exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.5.0 or later
Vendor Advisory: https://github.com/rochacbruno/quokka/issues/676
Restart Required: Yes
Instructions:
1. Backup your Quokka installation and database. 2. Update Quokka to version 0.5.0 or later using pip: 'pip install --upgrade quokka'. 3. Restart the Quokka application server. 4. Verify the fix by checking the version and testing XML processing.
🔧 Temporary Workarounds
Disable XXE in XML parser
allConfigure the XML parser to disable external entity processing and DTD resolution
Modify quokka/core/content/views.py to set: xml.sax.make_parser().setFeature(feature_external_ges, False)
Set: xml.sax.make_parser().setFeature(feature_external_pes, False)
Input validation and sanitization
allImplement strict input validation for XML content and reject suspicious payloads
Implement XML schema validation
Use allowlists for acceptable XML structures
Reject XML containing DOCTYPE declarations
🧯 If You Can't Patch
- Implement network segmentation to isolate Quokka instances from sensitive systems
- Deploy a web application firewall (WAF) with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check if running Quokka v0.4.0 and test XML processing with XXE payloads. Use: python -c "import quokka; print(quokka.__version__)"Check Version:
python -c "import quokka; print(quokka.__version__)"Verify Fix Applied:
Verify version is 0.5.0 or later and test with XXE payloads that should be rejected. Check that external entity processing is disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Large XML payloads in requests
- Requests to internal endpoints from Quokka server
- File read attempts via XML entities
Network Indicators:
- XML payloads containing SYSTEM or PUBLIC declarations
- Requests with DOCTYPE elements
- Outbound connections from Quokka to internal services
SIEM Query:
source="quokka" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*SYSTEM*")