CVE-2024-22203

Name of the Vulnerable Software and Affected Versions Whoogle Search versions prior to 0.8.4

Description Whoogle Search is a self-hosted metasearch engine. The issue arises from the element method in app/routes.py not validating the user-controlled src type and element url variables, which are then passed to the send method. This method sends a GET request, leading to a server-side request forgery. The issue allows for crafting GET requests to internal and external resources on behalf of the server, potentially accessing resources on the internal network that the server has access to, even if they are not accessible on the internet.

Recommendations For versions prior to 0.8.4, update to version 0.8.4 to resolve the issue. As a temporary workaround, consider restricting access to the element method in app/routes.py to minimize the risk of exploitation. Additionally, restrict the use of the src type and element url variables until the issue is resolved.