The Custom Button Installer dialog in Google Toolbar 4 and 5 beta presents certain domain names in the (1) "Downloaded from" and (2) "Privacy considerations" sections without verifying domain names, which makes it easier for remote attackers to spoof domain names and trick users into installing malicious button XML files, as demonstrated by presenting www.google.com when the button was downloaded from an arbitrary site through an open redirector on www.google.com.
Max CVSS
6.8
EPSS Score
1.70%
Published
2007-12-27
Updated
2018-10-15
Unspecified vulnerability in the benchmark reporting system in Google Web Toolkit (GWT) before 1.4.61 has unknown impact and attack vectors, possibly related to cross-site scripting (XSS).
Max CVSS
4.3
EPSS Score
0.26%
Published
2007-12-20
Updated
2017-08-08
Directory traversal vulnerability in region.php in KML share 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the layer parameter.
Max CVSS
5.0
EPSS Score
0.69%
Published
2007-12-04
Updated
2017-09-29
Cross-site scripting (XSS) vulnerability in Google Mini Search Appliance 3.4.14 allows remote attackers to inject arbitrary web script or HTML via the ie parameter to the /search URI.
Max CVSS
4.3
EPSS Score
0.61%
Published
2007-10-06
Updated
2018-10-15
Google Picasa allows remote attackers to read image files stored by Picasa via unspecified vectors involving a picasa:// URI. NOTE: this information is based upon a vague pre-advisory.
Max CVSS
5.0
EPSS Score
0.15%
Published
2007-09-12
Updated
2008-11-15
Multiple cross-application scripting (XAS) vulnerabilities in Google Picasa have unspecified attack vectors and impact. NOTE: this information is based upon a vague pre-advisory.
Max CVSS
6.8
EPSS Score
0.11%
Published
2007-09-11
Updated
2008-11-15
Multiple buffer overflows in Google Picasa have unspecified attack vectors and impact. NOTE: this information is based upon a vague pre-advisory.
Max CVSS
7.5
EPSS Score
0.10%
Published
2007-09-11
Updated
2013-07-05
Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that "Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website.
Max CVSS
4.3
EPSS Score
0.18%
Published
2007-06-28
Updated
2024-03-21
Google Desktop allows user-assisted remote attackers to execute arbitrary programs via a man-in-the-middle attack that injects JavaScript, a www.google.com search IFRAME, and a META HTTP-EQUIV="refresh" that targets a www.google.com search for a local .exe file, which is displayed in the "results stored on your computer" portion of the search results, and when clicked invokes Google Desktop to execute this file.
Max CVSS
9.3
EPSS Score
0.30%
Published
2007-06-11
Updated
2008-11-15
The Google Web Toolkit (GWT) framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
Max CVSS
5.0
EPSS Score
0.16%
Published
2007-04-30
Updated
2008-11-13
Cross-site scripting (XSS) vulnerability in Google Desktop allows remote attackers to bypass protection schemes and inject arbitrary web script or HTML, and possibly gain full access to the system, by using an XSS vulnerability in google.com to extract the signature for the internal web server, then calling the "under" parameter in Advanced Search with the proper signature.
Max CVSS
7.6
EPSS Score
2.47%
Published
2007-02-23
Updated
2018-10-16
Buffer overflow in Google Earth v4.0.2091 (beta) allows remote user-assisted attackers to cause a denial of service (crash) via a KML or KMZ file with a long href element.
Max CVSS
7.1
EPSS Score
1.20%
Published
2007-03-07
Updated
2018-10-16
12 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!