CVE-2022-25303

Опубликовано: 12 июл. 2022

Источник: nvd

CVSS3: 5.4

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the flask.render_template function. However, the error_message is rendered using the | safe filter, meaning the user input is not escaped.

Ссылки

https://github.com/benbusby/whoogle-search/blob/6d362ca5c7a00d2f691a2512461c5dfbfc01cbb3/app/routes.py%23L448
Broken Link
https://github.com/benbusby/whoogle-search/commit/abc30d7da3b5c67be7ce84d4699f327442d44606
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-PYTHON-WHOOGLESEARCH-2803306
Third Party Advisory
https://github.com/benbusby/whoogle-search/blob/6d362ca5c7a00d2f691a2512461c5dfbfc01cbb3/app/routes.py%23L448
Broken Link
https://github.com/benbusby/whoogle-search/commit/abc30d7da3b5c67be7ce84d4699f327442d44606
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-PYTHON-WHOOGLESEARCH-2803306
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:whoogle-search_project:whoogle-search:*:*:*:*:*:*:*:*

Версия до 0.7.2 (исключая)

EPSS

Процентиль: 53%

0.00301

Низкий

5.4 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-mxvc-fwgx-j778

CVSS3: 5.4

github

больше 3 лет назад

Whoogle Search Cross-site Scripting via string parameter

EPSS

Процентиль: 53%

0.00301

Низкий

5.4 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79