Vulnerability CVE-2007-6536
Published: 2007-12-27   Modified: 2012-02-12

Description:
The Custom Button Installer dialog in Google Toolbar 4 and 5 beta presents certain domain names in the (1) "Downloaded from" and (2) "Privacy considerations" sections without verifying domain names, which makes it easier for remote attackers to spoof domain names and trick users into installing malicious button XML files, as demonstrated by presenting www.google.com when the button was downloaded from an arbitrary site through an open redirector on www.google.com.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Google Toolbar Dialog Spoofing Vulnerability
avivra
28.12.2007

Type:

CWE-200

 (Information Exposure)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Google -> Toolbar 

 References:
http://aviv.raffon.net/2007/12/18/GoogleToolbarDialogSpoofingVulnerability.aspx
http://securityreason.com/securityalert/3491
http://www.securityfocus.com/archive/1/485288/100/0/threaded
http://www.securityfocus.com/bid/26923
https://exchange.xforce.ibmcloud.com/vulnerabilities/39164
Copyright 2024, cxsecurity.com

 

Back to Top