CVE-2024-22204

Name of the Vulnerable Software and Affected Versions Whoogle Search versions 0.8.3 and prior

Description Whoogle Search is a self-hosted metasearch engine. The issue allows for a limited file write vulnerability when configuration options are enabled. The config function in app/routes.py does not validate the user-controlled name variable and config data variable, leading to path manipulation and a limited file write. The data saved is transformed into a dictionary with arbitrary data and a url key value pair before being saved on the system. This issue enables saving and overwriting files on the system with the application's permissions.

Recommendations For versions 0.8.3 and prior, update to version 0.8.4 to resolve the issue. As a temporary workaround, consider disabling the config function in app/routes.py until a patch is available. Restrict access to the configuration options in Whoogle to minimize the risk of exploitation. Avoid using the name variable and config data variable in the affected config function until the issue is resolved.