Overview
Google Search Appliance (GSA) devices contain a cross-site scripting (XSS) vulnerability when dynamic navigation is enabled.
Description
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Google Search Appliance versions earlier than 7.2.0.G.114 and 7.0.14.G.216 fail to properly sanitize user input that is reflected directly into a JavaScript <script> block if the dynamic navigation feature is enabled. This allows an attacker to perform a reflected XSS attack. |
Impact
A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session. |
Solution
Apply an update |
Disable dynamic navigation |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Temporal | 3.4 | E:POC/RL:OF/RC:C |
| Environmental | 3.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2014-0362 |
| Date Public: | 2014-05-01 |
| Date First Published: | 2014-05-01 |
| Date Last Updated: | 2014-05-01 18:23 UTC |
| Document Revision: | 23 |