Coordinated Disclosure Timeline
- 2020-12-15: Reported to firstname.lastname@example.org
- 2020-12-15: Issue acknowledged
- 2020-12-15: Issue is fixed
A reflected Cross-Site scripting (XSS) vulnerability has been found in analytics-quarry-web
Latest commit at the time of reporting (December 14, 2020).
The server responds with
return Response(json.dumps(...)) without setting proper mime-type (
This becomes problematic for the preference handling defined here: https://github.com/wikimedia/analytics-quarry-web/blob/085a51b2dee8b58882276d9fe090174252edb85e/quarry/web/app.py#L395-L412
You can exploit this vulnerability by tricking a logged in user to visit vulnerable URL.
- Visit official Quarry site https://quarry.wmflabs.org/ or follow setup instructions on repo. (I found official site from here)
- Log in with a wiki-media acocunt
- Visit vulnerable URL: https://quarry.wmflabs.org/api/preferences/get/%3Cimg%20src=0%20onerror=alert(0)%3E
XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account.
This issue was discovered and reported by Rasmus Wriedt Larsen of the CodeQL Python team.
You can contact the GHSL team at
email@example.com, please include
GHSL-2020-336 in any communication regarding this issue.