Vulnerability Description
The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the [flask.render_template](https://flask.palletsprojects.com/en/2.1.x/api/flask.render_template) function. However, the error_message is rendered using the [| safe filter](https://jinja.palletsprojects.com/en/3.1.x/templates/working-with-automatic-escaping), meaning the user input is not escaped.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Whoogle-Search Project | Whoogle-Search | < 0.7.2 |
Related Weaknesses (CWE)
References
- https://github.com/benbusby/whoogle-search/blob/6d362ca5c7a00d2f691a2512461c5dfbBroken Link
- https://github.com/benbusby/whoogle-search/commit/abc30d7da3b5c67be7ce84d4699f32PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-PYTHON-WHOOGLESEARCH-2803306Third Party Advisory
- https://github.com/benbusby/whoogle-search/blob/6d362ca5c7a00d2f691a2512461c5dfbBroken Link
- https://github.com/benbusby/whoogle-search/commit/abc30d7da3b5c67be7ce84d4699f32PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-PYTHON-WHOOGLESEARCH-2803306Third Party Advisory
FAQ
What is CVE-2022-25303?
CVE-2022-25303 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the er...
How severe is CVE-2022-25303?
CVE-2022-25303 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25303?
Check the references section above for vendor advisories and patch information. Affected products include: Whoogle-Search Project Whoogle-Search.