Google Fixes XSS Vulnerability

Tuesday, May 6, 2014 @ 07:05 AM gHale

Google fixed a cross-site scripting (XSS) vulnerability in its Google Search Appliance (GSA), a device that enables organizations to index and search through web content, databases, and content management systems.

The device is vulnerable to reflected XSS attacks when the dynamic navigation feature ends up enabled, according to an advisory published by the Computer Emergency Response Team’s Coordination Center (CERT/CC). The appliance combines Dell hardware with Google software.

Security Flaw in OAuth 2.0, OpenID
Siri Allows iPhone Break-in
MyBB Release Fixes Security Holes
Video Site Hole Linked to DDoS Hit

Google fixed the vulnerability with the release of versions 7.2.0.G.114 and 7.0.14.G.216. Customers can download the updates from Google’s Enterprise Support Portal.

As a workaround, users can disable the dynamic navigation feature. Instructions on how to do so are available on the GSA support page.

Versions prior to 7.2.0.G.114 and 7.0.14.G.216 don’t properly sanitize user input reflected directly into a JavaScript “script” block when dynamic navigation is on. The vulnerability can end up exploited by an attacker to perform an XSS attack, i.e. execute arbitrary script in the context of the end-user’s browser session.

Will Dormann, a vulnerability analyst with the CERT/CC, reported the existence of the issue to Google on March 20.

Leave a Reply

You must be logged in to post a comment.