CVE-2024-22205

Name of the Vulnerable Software and Affected Versions Whoogle Search versions 0.8.3 and prior

Description Whoogle Search is a self-hosted metasearch engine. The window endpoint does not sanitize user-supplied input from the location variable and passes it to the send method, which sends a GET request, leading to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server, enabling access to resources on the internal network that the server has access to, even if these resources are not accessible on the internet.

Recommendations For versions 0.8.3 and prior, update to version 0.8.4 to resolve the issue. As a temporary workaround, consider restricting access to the window endpoint until a patch is available. Avoid using the location variable in the affected window endpoint until the issue is resolved.