CVE-2007-1085

Cross-site scripting (XSS) vulnerability in Google Desktop allows remote attackers to bypass protection schemes and inject arbitrary web script or HTML, and possibly gain full access to the system, by using an XSS vulnerability in google.com to extract the signature for the internal web server, then calling the "under" parameter in Advanced Search with the proper signature.

CVSS v2.0 7.6 HIGH

7.6^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:H/Au:N/C:C/I:C/A:C

Exploitability : 4.9 / Impact : 10.0

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf
http://www.kb.cert.org/vuls/id/615857	US Government Resource
http://www.securityfocus.com/bid/22650	Exploit
http://www.securitytracker.com/id?1017686
http://securityreason.com/securityalert/2301
http://osvdb.org/33483
http://www.securityfocus.com/archive/1/460928/100/0/threaded
http://www.securityfocus.com/archive/1/460735/100/0/threaded

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:desktop:*:*:*:*:*:*:*:*

Information

Published : 2007-02-22 19:28

Updated : 2018-10-16 09:36

NVD link : CVE-2007-1085

Mitre link : CVE-2007-1085

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

google

desktop

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf", "name": "http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf", "tags": [], "refsource": "MISC"}, {"url": "http://www.kb.cert.org/vuls/id/615857", "name": "VU#615857", "tags": ["US Government Resource"], "refsource": "CERT-VN"}, {"url": "http://www.securityfocus.com/bid/22650", "name": "22650", "tags": ["Exploit"], "refsource": "BID"}, {"url": "http://www.securitytracker.com/id?1017686", "name": "1017686", "tags": [], "refsource": "SECTRACK"}, {"url": "http://securityreason.com/securityalert/2301", "name": "2301", "tags": [], "refsource": "SREASON"}, {"url": "http://osvdb.org/33483", "name": "33483", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.securityfocus.com/archive/1/460928/100/0/threaded", "name": "20070222 RE: Overtaking Google Desktop", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/archive/1/460735/100/0/threaded", "name": "20070221 Overtaking Google Desktop", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in Google Desktop allows remote attackers to bypass protection schemes and inject arbitrary web script or HTML, and possibly gain full access to the system, by using an XSS vulnerability in google.com to extract the signature for the internal web server, then calling the \"under\" parameter in Advanced Search with the proper signature."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2007-1085", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "HIGH", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "impactScore": 10.0, "obtainAllPrivilege": true, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2007-02-23T03:28Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:google:desktop:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-16T16:36Z"}