CVE-2024-22417

Name of the Vulnerable Software and Affected Versions Whoogle Search versions 0.8.3 and prior

Description Whoogle Search is a self-hosted metasearch engine. The element method in app/routes.py does not validate the user-controlled src type and element url variables and passes them to the send method which sends a GET request on lines 339-343 in requests.py. The returned contents of the URL are then passed to and reflected back to the user in the send file function on line 484, together with the user-controlled src type, which allows the attacker to control the HTTP response content type leading to a cross-site scripting vulnerability. An attacker could craft a special URL to point to a malicious website and send the link to a victim. The fact that the link would contain a trusted domain could be used to trick the user into clicking the link. The malicious website could, for example, be a copy of a real website, meant to steal a person’s credentials to the website, or trick that person in another way.

Recommendations Update to version 0.8.4 or later to patch the issue. As a temporary workaround, consider restricting access to the send file function and validating user-controlled input for src type and element url variables to minimize the risk of exploitation. Avoid using the element method in app/routes.py until a patch is applied.