CVE-2007-3484 - Vulnerability Details - OpenCVE

Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that "Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0051.

Key SSVC decision points have not yet been added.

Vendors	Products
Google Subscribe	Custom Search Engine Subscribe

Configuration 1 [-]

cpe:2.3:a:google:custom_search_engine:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://osvdb.org/38038
http://websecurity.com.ua/1050/
http://www.attrition.org/pipermail/vim/2007-July/001706.html

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00324}`	epss `{'score': 0.0051}`

Wed, 07 Aug 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-06-28T20:00:00

Updated: 2024-08-07T14:21:36.414Z

Reserved: 2007-06-28T00:00:00

Link: CVE-2007-3484

Vulnrichment

Updated: 2024-08-07T14:21:36.414Z

NVD

Status : Deferred

Published: 2007-06-28T20:30:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-3484

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-06-15T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that \"Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2007-07-11T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "38038", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/38038"}, {"name": "20070710 Vendor dispute - Google Custom Search Engine XSS (CVE-2007-3484)", "tags": ["mailing-list", "x_refsource_VIM"], "url": "http://www.attrition.org/pipermail/vim/2007-July/001706.html"}, {"tags": ["x_refsource_MISC"], "url": "http://websecurity.com.ua/1050/"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-3484", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that \"Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "38038", "refsource": "OSVDB", "url": "http://osvdb.org/38038"}, {"name": "20070710 Vendor dispute - Google Custom Search Engine XSS (CVE-2007-3484)", "refsource": "VIM", "url": "http://www.attrition.org/pipermail/vim/2007-July/001706.html"}, {"name": "http://websecurity.com.ua/1050/", "refsource": "MISC", "url": "http://websecurity.com.ua/1050/"}]}}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-24T19:33:37.182425Z", "id": "CVE-2007-3484", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "ADP Container", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:43:01.374Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T14:21:36.414Z"}, "title": "CVE Program Container", "references": [{"name": "38038", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/38038"}, {"name": "20070710 Vendor dispute - Google Custom Search Engine XSS (CVE-2007-3484)", "tags": ["mailing-list", "x_refsource_VIM", "x_transferred"], "url": "http://www.attrition.org/pipermail/vim/2007-July/001706.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://websecurity.com.ua/1050/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-3484", "datePublished": "2007-06-28T20:00:00", "dateReserved": "2007-06-28T00:00:00", "dateUpdated": "2024-08-07T14:21:36.414Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://osvdb.org/38038", "name": "38038", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"]}, {"url": "http://www.attrition.org/pipermail/vim/2007-July/001706.html", "name": "20070710 Vendor dispute - Google Custom Search Engine XSS (CVE-2007-3484)", "tags": ["mailing-list", "x_refsource_VIM", "x_transferred"]}, {"url": "http://websecurity.com.ua/1050/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T14:21:36.414Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2007-3484", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-24T19:33:37.182425Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-24T19:33:26.587Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-06-15T00:00:00", "references": [{"url": "http://osvdb.org/38038", "name": "38038", "tags": ["vdb-entry", "x_refsource_OSVDB"]}, {"url": "http://www.attrition.org/pipermail/vim/2007-July/001706.html", "name": "20070710 Vendor dispute - Google Custom Search Engine XSS (CVE-2007-3484)", "tags": ["mailing-list", "x_refsource_VIM"]}, {"url": "http://websecurity.com.ua/1050/", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that \"Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2007-07-11T09:00:00"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "http://osvdb.org/38038", "name": "38038", "refsource": "OSVDB"}, {"url": "http://www.attrition.org/pipermail/vim/2007-July/001706.html", "name": "20070710 Vendor dispute - Google Custom Search Engine XSS (CVE-2007-3484)", "refsource": "VIM"}, {"url": "http://websecurity.com.ua/1050/", "name": "http://websecurity.com.ua/1050/", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that \"Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2007-3484", "STATE": "PUBLIC", "ASSIGNER": "cve@mitre.org"}}}}, "cveMetadata": {"cveId": "CVE-2007-3484", "state": "PUBLISHED", "dateUpdated": "2024-08-07T14:21:36.414Z", "dateReserved": "2007-06-28T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2007-06-28T20:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:custom_search_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "516F88E2-68DA-402D-8115-7CEB495B4D01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that \"Google does not provide the 'search.php' script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website."}, {"lang": "es", "value": "** EN DISPUTA ** La vulnerabilidad de secuencias de comandos entre sitios (XSS) en search.php en Google Custom Search Engine permite a los atacantes remotos inyectar scripts web arbitrarios o HTML a trav\u00e9s del par\u00e1metro q. NOTA: este problema es cuestionado por el equipo de seguridad de Google, que afirma que \"Google no proporciona el script 'search.php' al que se hace referencia. Cuando un usuario crea un motor de b\u00fasqueda personalizado, le proporcionamos un bloque de javascript para incluir en su sitio. Algunos usuarios escriben c\u00f3digo adicional alrededor de este bloque de javascript para personalizar a\u00fan m\u00e1s su sitio web."}], "id": "CVE-2007-3484", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2007-06-28T20:30:00.000", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/38038"}, {"source": "cve@mitre.org", "url": "http://websecurity.com.ua/1050/"}, {"source": "cve@mitre.org", "url": "http://www.attrition.org/pipermail/vim/2007-July/001706.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/38038"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://websecurity.com.ua/1050/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.attrition.org/pipermail/vim/2007-July/001706.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}