Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:673313
HistoryMay 01, 2014 - 12:00 a.m.

Google Search Appliance dynamic navigation cross-site scripting vulnerability

2014-05-0100:00:00
www.kb.cert.org
19

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

30.1%

JSON

Overview

Google Search Appliance (GSA) devices contain a cross-site scripting (XSS) vulnerability when dynamic navigation is enabled.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Google Search Appliance versions earlier than 7.2.0.G.114 and 7.0.14.G.216 fail to properly sanitize user input that is reflected directly into a JavaScript <script> block if the dynamic navigation feature is enabled. This allows an attacker to perform a reflected XSS attack.

Impact

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user’s browser session.

Solution

Apply an update

This issue is resolved in GSA versions 7.2.0.G.114 and 7.0.14.G.216. These updates are available in the Google Enterprise Support Portal.

Disable dynamic navigation

This vulnerability can be mitigated by disabling the dynamic navigation feature in the GSA.

Vendor Information

673313

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Google __ Affected

Notified: March 20, 2014 Updated: May 01, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Addendum

This issue is resolved in GSA versions 7.2.0.G.114 and 7.0.14.G.216. These updates are available in the Google Enterprise Support Portal.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23673313 Feedback>).

CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 3.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2014-0362
Date Public: 2014-05-01 Date First Published:

Related

prion 1
nvd 1
cve 1
cvelist 1
prion
prion
Cross site scripting
2014-05-08 10:55:00
nvd
nvd
CVE-2014-0362
2014-05-08 10:55:03
cve
cve
CVE-2014-0362
2014-05-08 10:55:03
cvelist
cvelist
CVE-2014-0362
2014-05-08 10:00:00

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

30.1%

JSON
Related for VU:673313
prion1nvd1cve1cvelist1