Vulnerability Description
Wikimedia Quarry analytics-quarry-web before 2020-12-15 allows Reflected XSS because app.py does not explicitly set the application/json content type.
CVSS Score
6.1
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wikimedia | Analytics-Quarry-Web | < 2020-12-15 |
Related Weaknesses (CWE)
References
- https://github.com/wikimedia/analytics-quarry-web/commit/4b7e1d6a3a52ec6cf826a97PatchThird Party Advisory
- https://quarry.wmflabs.org/ProductThird Party Advisory
- https://github.com/wikimedia/analytics-quarry-web/commit/4b7e1d6a3a52ec6cf826a97PatchThird Party Advisory
- https://quarry.wmflabs.org/ProductThird Party Advisory
FAQ
What is CVE-2020-36324?
CVE-2020-36324 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Wikimedia Quarry analytics-quarry-web before 2020-12-15 allows Reflected XSS because app.py does not explicitly set the application/json content type.
How severe is CVE-2020-36324?
CVE-2020-36324 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36324?
Check the references section above for vendor advisories and patch information. Affected products include: Wikimedia Analytics-Quarry-Web.