Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2024-22417

Disclosure Date: January 23, 2024 •

CVE-2024-22417 CVSS v3 Base Score: 6.1

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the element method in app/routes.py does not validate the user-controlled src_type and element_url variables and passes them to the send method which sends a GET request on lines 339-343 in requests.py. The returned contents of the URL are then passed to and reflected back to the user in the send_file function on line 484, together with the user-controlled src_type, which allows the attacker to control the HTTP response content type leading to a cross-site scripting vulnerability. An attacker could craft a special URL to point to a malicious website and send the link to a victim. The fact that the link would contain a trusted domain (e.g. from one of public Whoogle instances) could be used to trick the user into clicking the link. The malicious website could, for example, be a copy of a real website, meant to steal a person’s credentials to the website, or trick that person in another way. Version 0.8.4 contains a patch for this issue.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

6.1 Medium

Impact Score:

2.7

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

None

References

Canonical

CVE-2024-22417 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22417)

Miscellaneous

https://securitylab.github.com/advisories/GHSL-2023-186_GHSL-2023-189_benbusby_whoogle-search/

https://github.com/benbusby/whoogle-search/commit/3a2e0b262e4a076a20416b45e6b6f23fd265aeda

https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/request.py#L339-L343

https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L465-L490

https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L466

https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L476

https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L479

https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L484C6-L484C7

Rapid7

Unknown

CVE-2024-22417

Unknown

Unknown

Required

None

Network

CVE-2024-22417

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Weaknesses

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-22417

Unknown

Unknown

Required

None

Network

CVE-2024-22417

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Weaknesses

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification