CVE-2024-22417: 
Python vulnerability analysis and mitigation

Whoogle Search is a self-hosted metasearch engine that contains a cross-site scripting (XSS) vulnerability in versions 0.8.3 and prior. The vulnerability was discovered in January 2024 and is tracked as CVE-2024-22417. The issue affects the element method in app/routes.py which does not properly validate user-controlled input (GitHub Advisory).

The vulnerability exists because the element method in app/routes.py does not validate the user-controlled src_type and element_url variables and passes them to the send method which sends a GET request on lines 339-343 in requests.py. The returned contents of the URL are then passed to and reflected back to the user in the send_file function on line 484, together with the user-controlled src_type, which allows the attacker to control the HTTP response content type leading to a cross-site scripting vulnerability (GitHub Advisory).

An attacker could craft a special URL to point to a malicious website and send the link to a victim. The fact that the link would contain a trusted domain (e.g. from one of public Whoogle instances) could be used to trick the user into clicking the link. The malicious website could, for example, be a copy of a real website, meant to steal a person's credentials to the website, or trick that person in another way (GitHub Advisory).

The vulnerability has been patched in version 0.8.4. Users should upgrade to this version or later to mitigate the issue. The fix includes validation of URLs in the element and window endpoints to prevent malicious input (GitHub Patch).