skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
April 13, 2021

GHSL-2020-336: reflected Cross-Site scripting (XSS) in analytics-quarry-web - CVE-2020-36324

GitHub Security Lab

Coordinated Disclosure Timeline


A reflected Cross-Site scripting (XSS) vulnerability has been found in analytics-quarry-web


Tested Version

Latest commit at the time of reporting (December 14, 2020).


The server responds with return Response(json.dumps(...)) without setting proper mime-type (application/json).

This becomes problematic for the preference handling defined here:

You can exploit this vulnerability by tricking a logged in user to visit vulnerable URL.


  1. Visit official Quarry site or follow setup instructions on repo. (I found official site from here)
  2. Log in with a wiki-media acocunt
  3. Visit vulnerable URL:


XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account.



This issue was discovered and reported by Rasmus Wriedt Larsen of the CodeQL Python team.


You can contact the GHSL team at, please include GHSL-2020-336 in any communication regarding this issue.