Detections
Analytics

Google Mini Search Appliance search Script ie Parameter XSS

medium Nessus Plugin ID 26196

Language:

Synopsis

The remote web server is affected by a cross-site scripting vulnerability.

Description

The remote Google Search Appliance / Mini Search Appliance fails to sanitize user-supplied input to the 'ie' parameter used in the search interface. An unauthenticated, remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.

Solution

Apply the fix as discussed in the vendor advisory referenced above.

See Also

http://www.nessus.org/u?1286e4b0

http://www.nessus.org/u?f30a1721

http://www.nessus.org/u?d4567b94

Plugin Details

Severity: Medium

ID: 26196

File Name: google_search_appliance_ie_xss.nasl

Version: 1.22

Type: remote

Published: 10/2/2007

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/h:google:search_appliance, cpe:/h:google:mini_search_appliance

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 10/1/2007

Vulnerability Publication Date: 9/21/2007

Reference Information

CVE: CVE-2007-5255

BID: 25894

CWE: 79