Googe Desktop Search contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate variables upon submission to the script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. It is possible for a remote attacker to create a specially crafted URL, that when loaded by a target user that has Google Desktop Search installed, will execute scripting code which will be executed by the target user's browser. The code will originate from the Google site and will run in the security context of that site. The resulting impact is that the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Googe Desktop Search contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate variables upon submission to the script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

None

• Security Tracker: 1011928
• Other Advisory URL: http://mirabilweb.altervista.org/pagina.php?pagina=google_bug
• Vendor URL: http://www.google.com/

• Salvatore Aranzulla - aranzulla2cheapnet.it -

We currently have no CVSS2 data on this vulnerability. Feel free to suggest it.