CVE-2024-22417

CVE-2024-22417 is a medium-severity vulnerability in Benbusby Whoogle Search with a CVSS 3.x base score of 6.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.

Key facts

Description

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a `GET` request on lines 339-343 in `requests.py`. The returned contents of the URL are then passed to and reflected back to the user in the `send_file` function on line 484, together with the user-controlled `src_type`, which allows the attacker to control the HTTP response content type leading to a cross-site scripting vulnerability. An attacker could craft a special URL to point to a malicious website and send the link to a victim. The fact that the link would contain a trusted domain (e.g. from one of public Whoogle instances) could be used to trick the user into clicking the link. The malicious website could, for example, be a copy of a real website, meant to steal a person’s credentials to the website, or trick that person in another way. Version 0.8.4 contains a patch for this issue.

Frequently asked questions

What is CVE-2024-22417?
Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a `GET` request on lines 339-343 in `requests.py`. The returned contents of the URL are then passed to and reflected back to the user in the `send_file` function on line 484, together with the user-controlled `src_type`, which allows the attacker to control the HTTP response content type leading to a cross-site scripting vulnerability. An attacker could craft a special URL to point to a malicious website and send the link to a victim. The fact that the link would contain a trusted domain (e.g. from one of public Whoogle instances) could be used to trick the user into clicking the link. The malicious website could, for example, be a copy of a real website, meant to steal a person’s credentials to the website, or trick that person in another way. Version 0.8.4 contains a patch for this issue.
How severe is CVE-2024-22417?
CVE-2024-22417 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2024-22417 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (46th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-22417?
CVE-2024-22417 affects Benbusby Whoogle Search. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-22417?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-22417 have an EU (EUVD) identifier?
Yes. CVE-2024-22417 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-0190.
When was CVE-2024-22417 published?
CVE-2024-22417 was published on 2024-01-23 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Benbusby Whoogle Search

All CVEs affecting Benbusby Whoogle Search →

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →