Vulnerability Note VU#615857

Google Desktop vulnerable to cross-site scripting

Original Release date: 22 Feb 2007 | Last revised: 27 Feb 2007


A cross-site scripting vulnerability exists in the Google Desktop Search application. This vulnerability may allow an attacker to take any action on a vulnerable system that the Google Desktop Search can.


Google Desktop Search is a desktop search program that is integrated into the Google search engine. Google Desktop Search indexes the user's local hard drive, and allows the results to be searched from a browser.

The Google Desktop Search program contains a cross-site scripting vulnerability in the under parameter. This vulnerability occurs because the Google Desktop Search engine fails to properly sanitize user input.

Note that this vulnerability may not be exploited remotely without the presence of another vulnerability.


A remote unauthenticated attacker may be able to perform any action that the Google Desktop Search engine is capable of performing. This includes executing programs that are already on a vulnerable system, searching and viewing files and exfiltrating sensitive data.


Google has addressed this issue in the most recent version of the Google Desktop Search. Note that Google updates the Google Desktop Search automatically.

Disable JavaScript

Disable JavaScript in your browser's preferences. Instructions for disabling JavaScript can be found in the Securing Your Web Browser document and the Malicious Web Scripts FAQ. Some Mozilla add-ons can simplify the ability to enable or disable JavaScript, or set up site-specific rules for doing so.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
GoogleAffected-22 Feb 2007
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Yair Amit, Danny Allan, and Adi Sharabani for providing information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: Unknown
  • Date Public: 21 Feb 2007
  • Date First Published: 22 Feb 2007
  • Date Last Updated: 27 Feb 2007
  • Severity Metric: 0.52
  • Document Revision: 53


If you have feedback, comments, or additional information about this vulnerability, please send us email.