CVE-2022-25303

Name of the Vulnerable Software and Affected Versions whoogle-search versions prior to 0.7.2

Description The issue concerns Cross-site Scripting (XSS) via the query string parameter q. When the q parameter does not contain the 'http' string, it is used to build the error message that is then rendered in the error.html template using the flask.render template function. However, the error message is rendered using the | safe filter, meaning the user input is not escaped.

Recommendations For versions prior to 0.7.2, update to version 0.7.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the q parameter in the query string to minimize the risk of exploitation.