CVE-2022-25303

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-25303
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25303.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-25303
Aliases
Published
2022-07-12T15:15:09Z
Modified
2024-10-12T09:20:36.662960Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the errormessage that is then rendered in the error.html template, using the flask.rendertemplate function. However, the error_message is rendered using the | safe filter, meaning the user input is not escaped.

References

Affected packages

Git / github.com/benbusby/whoogle-search

Affected ranges

Type
GIT
Repo
https://github.com/benbusby/whoogle-search
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
abc30d7da3b5c67be7ce84d4699f327442d44606

Affected versions

0.*

0.2.0

v0.*

v0.0.1
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.3.0
v0.3.1
v0.3.2
v0.4.0
v0.4.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.6.0
v0.7.0
v0.7.1