Detections
Analytics

Google Desktop Advanced Search Internal Web Server XSS

high Nessus Plugin ID 24710

Synopsis

The remote host has an application installed that is vulnerable to a local cross-site scripting attack.

Description

The version of Google Desktop installed on the remote host is affected by a cross-site scripting flaw because it fails to properly encode the output for the 'under' keyword. This issue cannot be directly exploited remotely; however, when used in conjunction with a known Google.com cross-site scripting vulnerability to extract the unique signature associated with Google Desktop software, it might allow an attacker to query a victim's system for sensitive information.

Solution

Google Desktop automatically updates itself when a new version of the software is available. However, in some cases it may not be able to update itself due to network connectivity issues. Please ensure that Google Desktop version 5.0.0701.30540 or later is installed.

See Also

http://www.nessus.org/u?72d01fea

Plugin Details

Severity: High

ID: 24710

File Name: google_desktop_xss_flaw.nasl

Version: 1.20

Type: local

Agent: windows

Family: Windows

Published: 2/26/2007

Updated: 7/12/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:google:desktop

Required KB Items: SMB/Google/Google Dektop/version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/21/2007

Vulnerability Publication Date: 2/22/2007

Reference Information

CVE: CVE-2007-1085

BID: 22650

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

CERT: 615857