Homepage
About Snyk

whoogle-search@0.1.3 vulnerabilities

Self-hosted, ad-free, privacy-respecting metasearch engine

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the whoogle-search package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Path Traversal

whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine

Affected versions of this package are vulnerable to Path Traversal via the config function. An attacker can overwrite files on the system with a dictionary containing arbitrary data and the url key value by manipulating the name variable and providing malicious config_data.

How to fix Path Traversal?

Upgrade whoogle-search to version 0.8.4 or higher.

[,0.8.4)
  • H
Server-Side Request Forgery (SSRF)

whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via the window endpoint which does not properly sanitize user-supplied input from the location variable before passing it to the send method. An attacker can craft malicious GET requests to internal and external resources on behalf of the server, accessing resources on the internal network that are not publicly accessible.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade whoogle-search to version 0.8.4 or higher.

[,0.8.4)
  • M
Cross-site Scripting

whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine

Affected versions of this package are vulnerable to Cross-site Scripting via the element method, which does not properly validate user-controlled src_type and element_url variables. An attacker can manipulate the HTTP response content type and inject malicious scripts.

How to fix Cross-site Scripting?

Upgrade whoogle-search to version 0.8.4 or higher.

[,0.8.4)
  • M
Information Exposure

whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine

Affected versions of this package are vulnerable to Information Exposure where an element or window endpoint could retrieve file contents from a service hosted on another port.

How to fix Information Exposure?

Upgrade whoogle-search to version 0.8.4 or higher.

[,0.8.4)
  • M
Cross-site Scripting (XSS)

whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the flask.render_template function. However, the error_message is rendered using the | safe filter, meaning the user input is not escaped.

How to fix Cross-site Scripting (XSS)?

Upgrade whoogle-search to version 0.7.2 or higher.

[,0.7.2)
Go back to all versions of this package