XSS Vulnerability Found in Google Search Appliance

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

According to an advisory published by the Computer Emergency Response Team’s Coordination Center (CERT/CC), the enterprise solution is vulnerable to reflected XSS attacks when the dynamic navigation feature is enabled.

The security hole has been fixed with the release of versions 7.2.0.G.114 and 7.0.14.G.216. Customers can download the updates from Google’s Enterprise Support Portal.

As a workaround, users can disable the dynamic navigation feature. Instructions on how to do so are available on the GSA support page

Variants prior to 7.2.0.G.114 and 7.0.14.G.216 don’t properly sanitize user input that is reflected directly into a JavaScript “script” block when dynamic navigation is turned on. The vulnerability can be exploited by an attacker to perform an XSS attack, i.e. execute arbitrary script in the context of the end-user’s browser session.

Will Dormann, a vulnerability analyst with the CERT/CC, reported the existence of the issue to Google on March 20, 2014. The advisory on the Google Search Appliance XSS vulnerability was made public on May 1, 2014.

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply