WEB VULNERABILITY SCANNER DOWNLOAD TRIAL FREE EDITION PRODUCT TOUR WEB SECURITY BLOG

Google Search Appliance UTF-7 Cross-Site Scripting Security Vulnerability

Description
Input passed to the "q" or/and "search_string" parameters (when "oe=UTF-7" and the parameter value is UTF7 encoded) is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.

Impact
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

References
Original Advisory
Product Homepage

Download a FREE trial of Acunetix WVS
Take a product tour of Acunetix WVS (includes screenshots & system overview) or view the datasheet (PDF)
Learn more about SQL injection, Cross site scripting (XSS), other web attacks and PCI-DSS at the Web Site Security Centre
See what the IT Press has to say about Acunetix WVS in the reviews page, read our customer testimonials, or see forthcoming events
List of vulnerabilities Acunetix WVS checks for.
Application Vulnerabilities in popular web applications that Acunetix WVS checks for