EUVD-2024-0191

Malicious code in bioql PyPI...

Care what you share

Welcome to this week's edition of the Threat Source newsletter. As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a...

Whoogle Search Path Traversal vulnerability

Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options in Whoogle are enabled. The config function in app/routes.py does not validate the user-controlled name variable on line 447 and configdata variable o...

GHSA-3Q6G-QMPX-RQW4 Whoogle Search Server-Side Request Forgery vulnerability

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the window endpoint does not sanitize user-supplied input from the location variable and passes it to the send method which sends a GET request on lines 339-343 in request.py, which leads to a server-side request...

Server side request forgery (ssrf)

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the window endpoint does not sanitize user-supplied input from the location variable and passes it to the send method which sends a GET request on lines 339-343 in request.py, which leads to a server-side request...

Cross site scripting

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the element method in app/routes.py does not validate the user-controlled srctype and elementurl variables and passes them to the send method which sends a GET request on lines 339-343 in requests.py. The returned...

Design/Logic Flaw

Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options in Whoogle are enabled. The config function in app/routes.py does not validate the user-controlled name variable on line 447 and configdata variable o...

PYSEC-2024-18

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the window endpoint does not sanitize user-supplied input from the location variable and passes it to the send method which sends a GET request on lines 339-343 in request.py, which leads to a server-side request...

CVE-2024-22205 Whoogle Search Server Side Request Forgery vulnerability

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the window endpoint does not sanitize user-supplied input from the location variable and passes it to the send method which sends a GET request on lines 339-343 in request.py, which leads to a server-side request...

CVE-2024-22205

CVE-2024-22205 (Whoogle Search) describes a server-side request forgery in versions ≤ 0.8.3 of Whoogle Search, where the window endpoint fails to sanitize user input from the location variable and passes it to the send method, causing the server to issue GET requests on internal or external resou...

CVE-2024-22204

CVE-2024-22204 affects Whoogle Search (self-hosted metasearch engine). The issue arises in version 0.8.3 and earlier where config handling in app/routes.py does not validate user-controllable name and config_data, enabling path traversal via os.path.join and later pickle.dump of config data. The ...

CVE-2024-22203 Whoogle Search Server Side Request Forgery vulnerability

Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the element method in app/routes.py does not validate the user-controlled srctype and elementurl variables and passes them to the send method which sends a GET request on lines 339-343 in request.py, which leads to a...

CVE-2024-22203 Whoogle Search Server Side Request Forgery vulnerability

Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the element method in app/routes.py does not validate the user-controlled srctype and elementurl variables and passes them to the send method which sends a GET request on lines 339-343 in request.py, which leads to a...

CVE-2024-22203

Whoogle Search (self-hosted metasearch) is affected in versions before 0.8.4 by an SSRF flaw: the element method in app/routes.py fails to validate user-controlled src_type and element_url, forwarding them to send which performs a GET request. This allows crafting requests to internal and externa...