GHSA-mxvc-fwgx-j778
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mxvc-fwgx-j778
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-mxvc-fwgx-j778/GHSA-mxvc-fwgx-j778.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-mxvc-fwgx-j778
- Aliases
-
- CVE-2022-25303
- PYSEC-2022-226
- SNYK-PYTHON-WHOOGLESEARCH-2803306
- Published
- 2022-07-15T15:37:39Z
- Modified
- 2024-11-19T19:26:13.154983Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Whoogle Search Cross-site Scripting via string parameter
- Details
-
The package whoogle-search before version 0.7.2 is vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the errormessage that is then rendered in the error.html template, using the flask.rendertemplate function. However, the error_message is rendered using the | safe filter, meaning the user input is not escaped.
- Database specific
{ "nvd_published_at": "2022-07-12T15:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-07-15T15:37:39Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-25303
- https://github.com/benbusby/whoogle-search/commit/abc30d7da3b5c67be7ce84d4699f327442d44606
- https://github.com/advisories/GHSA-mxvc-fwgx-j778
- https://github.com/benbusby/whoogle-search
- https://github.com/benbusby/whoogle-search/blob/6d362ca5c7a00d2f691a2512461c5dfbfc01cbb3/app/routes.py%23L448
- https://github.com/pypa/advisory-database/tree/main/vulns/whoogle-search/PYSEC-2022-226.yaml
- https://snyk.io/vuln/SNYK-PYTHON-WHOOGLESEARCH-2803306
Affected packages
PyPI / whoogle-search
Package
- Name
- whoogle-search
- View open source insights on deps.dev
- Purl
- pkg:pypi/whoogle-search