id: CVE-2020-13258 info: name: Contentful <=2020-05-21 - Cross-Site Scripting author: pikpikcu severity: medium description: | Contentful through 2020-05-21 for Python contains a reflected cross-site scripting vulnerability via the api parameter to the-example-app.py. remediation: | Upgrade Contentful to a version that is not vulnerable to CVE-2020-13258 or apply the necessary patches provided by the vendor. reference: - https://github.com/contentful/the-example-app.py/issues/44 - https://nvd.nist.gov/vuln/detail/CVE-2020-13258 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2020-13258 cwe-id: CWE-79 epss-score: 0.00464 epss-percentile: 0.72695 cpe: cpe:2.3:a:contentful:python_example:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: contentful product: python_example tags: cve,cve2020,contentful,xss http: - raw: - | GET /?cda'"&locale=locale=de-DE HTTP/1.1 HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word words: - "{'api': '" - "'," condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4a0a00473045022100dc1d0ed1c21c673b08fa326519a0a243511ca3defe112ed61cf01a729f145c9102204ce2a59d4122fb1ae53280664f3e9cb1e91182aba276c520508682507e36b60c:922c64590222798bb761d5b6d8e72950