Description
Cross-site scripting (XSS) vulnerability in Google Toolbar 2.0.114.1 allows remote attackers to inject arbitrary web script via about.html in the About section. NOTE: some followup posts suggest that the demonstration code's use of the res:// protocol does not cross privilege boundaries, since it is not allowed in the Internet Zone. Thus this might not be a vulnerability.
Affected products
- Google / toolbar1.1.41 – 1.1.41
- Google / toolbar1.1.42 – 1.1.42
- Google / toolbar1.1.43 – 1.1.43
- Google / toolbar1.1.44 – 1.1.44
- Google / toolbar1.1.45 – 1.1.45
- Google / toolbar1.1.47 – 1.1.47
- Google / toolbar1.1.48 – 1.1.48
- Google / toolbar1.1.49 – 1.1.49
- Google / toolbar1.1.53 – 1.1.53
- Google / toolbar1.1.54 – 1.1.54
- Google / toolbar1.1.55 – 1.1.55
- Google / toolbar1.1.56 – 1.1.56
- Google / toolbar1.1.57 – 1.1.57
- Google / toolbar1.1.58 – 1.1.58
- Google / toolbar1.1.59 – 1.1.59
- Google / toolbar1.1.60 – 1.1.60
- Google / toolbar2.0.114.1 – 2.0.114.1
- Google / toolbar2.0.114.1 – 2.0.114.1
References
- MISChttp://securitytracker.com/id?1011351
- MISChttp://www.securityfocus.com/bid/11210
- MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/17435
- MISChttp://archives.neohapsis.com/archives/fulldisclosure/2004-09/0629.html
- MISChttp://archives.neohapsis.com/archives/bugtraq/2004-09/0226.html
- MISChttp://www.osvdb.org/10037
- MISChttp://archives.neohapsis.com/archives/fulldisclosure/2004-09/0639.html