Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

Related vulnerabilities

PYSEC-2022-226

Vulnerability from pysec - Published: 2022-07-12 15:15 - Updated: 2022-07-14 05:11
VLAI?
Details

The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the flask.render_template function. However, the error_message is rendered using the | safe filter, meaning the user input is not escaped.

Impacted products
Name purl
whoogle-search pkg:pypi/whoogle-search
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "whoogle-search",
        "purl": "pkg:pypi/whoogle-search"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "abc30d7da3b5c67be7ce84d4699f327442d44606"
            }
          ],
          "repo": "https://github.com/benbusby/whoogle-search",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0",
        "0.1.3",
        "0.1.4",
        "0.2.0",
        "0.2.1",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.4.0",
        "0.4.1",
        "0.5.0",
        "0.5.1",
        "0.5.2",
        "0.5.3",
        "0.5.4",
        "0.6.0",
        "0.7.0",
        "0.7.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25303",
    "SNYK-PYTHON-WHOOGLESEARCH-2803306",
    "GHSA-mxvc-fwgx-j778"
  ],
  "details": "The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the [flask.render_template](https://flask.palletsprojects.com/en/2.1.x/api/flask.render_template) function. However, the error_message is rendered using the [| safe filter](https://jinja.palletsprojects.com/en/3.1.x/templates/working-with-automatic-escaping), meaning the user input is not escaped.",
  "id": "PYSEC-2022-226",
  "modified": "2022-07-14T05:11:54.875994Z",
  "published": "2022-07-12T15:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/benbusby/whoogle-search/blob/6d362ca5c7a00d2f691a2512461c5dfbfc01cbb3/app/routes.py%23L448"
    },
    {
      "type": "ADVISORY",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-WHOOGLESEARCH-2803306"
    },
    {
      "type": "FIX",
      "url": "https://github.com/benbusby/whoogle-search/commit/abc30d7da3b5c67be7ce84d4699f327442d44606"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mxvc-fwgx-j778"
    }
  ]
}