Vulnerability Details : CVE-2007-6536
The Custom Button Installer dialog in Google Toolbar 4 and 5 beta presents certain domain names in the (1) "Downloaded from" and (2) "Privacy considerations" sections without verifying domain names, which makes it easier for remote attackers to spoof domain names and trick users into installing malicious button XML files, as demonstrated by presenting www.google.com when the button was downloaded from an arbitrary site through an open redirector on www.google.com.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2007-6536
Probability of exploitation activity in the next 30 days: 1.70%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2007-6536
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2007-6536
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2007-6536
Products affected by CVE-2007-6536
- cpe:2.3:a:google:toolbar:4:*:*:*:*:*:*:*
- cpe:2.3:a:google:toolbar:5:beta:*:*:*:*:*:*