{"vuid":"VU#615857","idnumber":"615857","name":"Google Desktop vulnerable to cross-site scripting","keywords":["Google Desktop","remote code execution","under"],"overview":"A cross-site scripting vulnerability exists in the Google Desktop Search application. This vulnerability may allow an attacker to take any action on a vulnerable system that the Google Desktop Search can.","clean_desc":"Google Desktop Search is a desktop search program that is integrated into the Google search engine. Google Desktop Search indexes the user's local hard drive, and allows the results to be searched from a browser. The Google Desktop Search program contains a cross-site scripting vulnerability in the under parameter. This vulnerability occurs because the Google Desktop Search engine fails to properly sanitize user input. Note that this vulnerability may not be exploited remotely without the presence of another vulnerability.","impact":"A remote, unauthenticated attacker may be able to perform any action that the Google Desktop Search engine is capable of performing. This includes executing programs that are already on a vulnerable system, searching and viewing files, and exfiltrating sensitive data.","resolution":"Upgrade\nGoogle has addressed this issue in the most recent version of the Google Desktop Search. Note that Google updates the Google Desktop Search automatically.","workarounds":"Disable JavaScript Disable JavaScript in your browser's preferences. Instructions for disabling JavaScript can be found in the Securing Your Web Browser document and the Malicious Web Scripts FAQ. Some Mozilla add-ons can simplify the ability to enable or disable JavaScript, or set up site-specific rules for doing so.","sysaffected":"","thanks":"Thanks to Yair Amit, Danny Allan, and Adi Sharabani for providing information that was used in this report.","author":"This document was written by Ryan Giobbi.","public":["http://desktop.google.com/","http://desktop.google.com/support/bin/answer.py?answer=15935&topic=95","http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf","http://www.cert.org/tech_tips/securing_browser/#how_to_secure","http://www.cert.org/tech_tips/malicious_code_FAQ.html","http://www.cert.org/tech_tips/securing_browser/","https://addons.mozilla.org/","http://news.com.com/IE+flaw+lets+intruders+into+Google+Desktop/2100-7349_3-5980623.html?part=rss&tag=5980623&subj=news"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2007-02-21T18:53:34Z","publicdate":"2007-02-21T00:00:00Z","datefirstpublished":"2007-02-22T21:05:39Z","dateupdated":"2007-02-27T16:08:44Z","revision":54,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"4","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"4","cam_impact":"15","cam_easeofexploitation":"1","cam_attackeraccessrequired":"20","cam_scorecurrent":"0.5175","cam_scorecurrentwidelyknown":"0.5175","cam_scorecurrentwidelyknownexploited":"0.9675","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.5175,"vulnote":null}