whoogle-search@0.7.0 vulnerabilities

Self-hosted, ad-free, privacy-respecting metasearch engine

latest version

0.9.3

latest non vulnerable version

first published

4 years ago

latest version published

2 months ago

licenses detected

MIT
[0,)

View whoogle-search package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the whoogle-search package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Vulnerability	Vulnerable Version
M Path Traversal whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine Affected versions of this package are vulnerable to Path Traversal via the `config` function. An attacker can overwrite files on the system with a dictionary containing arbitrary data and the `url` key value by manipulating the `name` variable and providing malicious `config_data`. How to fix Path Traversal? Upgrade `whoogle-search` to version 0.8.4 or higher.	[,0.8.4)
H Server-Side Request Forgery (SSRF) whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via the `window` endpoint which does not properly sanitize user-supplied input from the `location` variable before passing it to the `send` method. An attacker can craft malicious GET requests to internal and external resources on behalf of the server, accessing resources on the internal network that are not publicly accessible. How to fix Server-Side Request Forgery (SSRF)? Upgrade `whoogle-search` to version 0.8.4 or higher.	[,0.8.4)
M Cross-site Scripting whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine Affected versions of this package are vulnerable to Cross-site Scripting via the `element` method, which does not properly validate user-controlled `src_type` and `element_url` variables. An attacker can manipulate the HTTP response content type and inject malicious scripts. How to fix Cross-site Scripting? Upgrade `whoogle-search` to version 0.8.4 or higher.	[,0.8.4)
M Information Exposure whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine Affected versions of this package are vulnerable to Information Exposure where an `element` or `window` endpoint could retrieve file contents from a service hosted on another port. How to fix Information Exposure? Upgrade `whoogle-search` to version 0.8.4 or higher.	[,0.8.4)
M Cross-site Scripting (XSS) whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the query string parameter `q`. In the case where it does not contain the `http` string, it is used to build the `error_message` that is then rendered in the `error.html` template, using the `flask.render_template` function. However, the `error_message` is rendered using the `\| safe` filter, meaning the user input is not escaped. How to fix Cross-site Scripting (XSS)? Upgrade `whoogle-search` to version 0.7.2 or higher.	[,0.7.2)

Go back to all versions of this package