Description Preview
The package whoogle-search before version 0.7.2 is vulnerable to Cross-site Scripting (XSS) via the query string parameter q. When the value does not contain the http string, it is used to build an error_message that is rendered in the error.html template via Flask's render_template. However, the error_message is rendered using the Jinja2 safe filter, meaning the user input is not escaped, allowing an attacker to inject and execute arbitrary scripts in the victim’s browser.
Overview
This CVE details an XSS flaw in whoogle-search versions prior to 0.7.2. An attacker can craft a request with a malicious q parameter; if the parameter value lacks the http prefix, it is used to compose an error_message that is subsequently rendered in error.html. Because the error_message is passed through a safe filter, the user input is not escaped, enabling attacker-controlled script execution in the rendered page. The vulnerability is accessible over the network and requires user interaction to exploit (e.g., convincing a user to visit a crafted URL). The CVSS 3.1 metrics indicate a Network attack vector, low attack complexity, no privileges required, and a medium base score (5.4) with user interaction required and minimal impact on confidentiality and integrity.
Remediation
- Upgrade whoogle-search to version 0.7.2 or newer (prefer the latest release) to include the fix.
- If upgrading immediately isn’t feasible, patch the rendering path:
- Remove or avoid using the safe filter on error_message.
- Ensure all user-supplied input is properly escaped or sanitized before rendering (prefer automatic escaping via templates).
- Validate and sanitize the q parameter server-side (e.g., reject or neutralize HTML/JS input, or URL-encode before processing).
- Implement input validation rules for query parameters and enforce strict content handling in templates.
- Add security tests and code reviews focused on template rendering and user input handling.
- Apply additional mitigations such as Content Security Policy (CSP) headers and, if possible, a web application firewall (WAF) rule to detect and block reflected script payloads.
References
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services: Low
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services: Low
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting: Low
- Arts, Entertainment & RecreationArts, Entertainment & Recreation: Low
- ConstructionConstruction: Low
- Educational ServicesEducational Services: Low
- Finance and InsuranceFinance and Insurance: Low
- Health Care & Social AssistanceHealth Care & Social Assistance: Low
- InformationInformation: Low
- Management of Companies & EnterprisesManagement of Companies & Enterprises: Low
- ManufacturingManufacturing: Low
- MiningMining: Low
- Other Services (except Public Administration)Other Services (except Public Administration): Low
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services: Low
- Public AdministrationPublic Administration: Low
- Real Estate Rental & LeasingReal Estate Rental & Leasing: Low
- Retail TradeRetail Trade: Low
- Transportation & WarehousingTransportation & Warehousing: Low
- UtilitiesUtilities: Low
- Wholesale TradeWholesale Trade: Low
