CVE-2007-3484

** DISPUTED ** Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that "Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website."

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://osvdb.org/38038
http://websecurity.com.ua/1050/
http://www.attrition.org/pipermail/vim/2007-July/001706.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:custom_search_engine:*:*:*:*:*:*:*:*

History

03 Jul 2024, 01:35

Type	Values Removed	Values Added
CVSS	v2 : ~~4.3~~ v3 : ~~unknown~~	v2 : 4.3 v3 : 6.1

Information

Published : 2007-06-28 20:30

Updated : 2024-08-07 15:15

NVD link : CVE-2007-3484

Mitre link : CVE-2007-3484

CVE.ORG link : CVE-2007-3484

JSON object : View

Products Affected

google

custom_search_engine

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2007-3484", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2007-06-28T20:30:00.000", "references": [{"url": "http://osvdb.org/38038", "source": "cve@mitre.org"}, {"url": "http://websecurity.com.ua/1050/", "source": "cve@mitre.org"}, {"url": "http://www.attrition.org/pipermail/vim/2007-July/001706.html", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that \"Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website."}, {"lang": "es", "value": "** EN DISPUTA ** La vulnerabilidad de secuencias de comandos entre sitios (XSS) en search.php en Google Custom Search Engine permite a los atacantes remotos inyectar scripts web arbitrarios o HTML a trav\u00e9s del par\u00e1metro q. NOTA: este problema es cuestionado por el equipo de seguridad de Google, que afirma que \"Google no proporciona el script 'search.php' al que se hace referencia. Cuando un usuario crea un motor de b\u00fasqueda personalizado, le proporcionamos un bloque de javascript para incluir en su sitio. Algunos usuarios escriben c\u00f3digo adicional alrededor de este bloque de javascript para personalizar a\u00fan m\u00e1s su sitio web."}], "lastModified": "2024-08-07T15:15:32.343", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:custom_search_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "516F88E2-68DA-402D-8115-7CEB495B4D01"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}