PYSEC-2022-226

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/whoogle-search/PYSEC-2022-226.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2022-226

Aliases

CVE-2022-25303
GHSA-mxvc-fwgx-j778
SNYK-PYTHON-WHOOGLESEARCH-2803306

Published

2022-07-12T15:15:00Z

Modified

2023-11-01T04:58:17.865917Z

Summary

[none]

Details

The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the errormessage that is then rendered in the error.html template, using the flask.rendertemplate function. However, the error_message is rendered using the | safe filter, meaning the user input is not escaped.

References

Affected packages

PyPI / whoogle-search

Package

Name: whoogle-search; View open source insights on deps.dev
Purl: pkg:pypi/whoogle-search

Affected ranges

Type: GIT
Repo: https://github.com/benbusby/whoogle-search
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

abc30d7da3b5c67be7ce84d4699f327442d44606

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.7.2

Affected versions

0.*

0.1.0

0.1.3

0.1.4

0.2.0

0.2.1

0.3.0

0.3.1

0.3.2

0.4.0

0.4.1

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.6.0

0.7.0

0.7.1