Cross-Site Search Vulnerability in Google Monorail Software
CVE-2018-19334

5.3MEDIUM

Key Information:

Vendor
Google
Status
Monorail
Vendor
CVE Published:
20 November 2018

Summary

The Google Monorail software, prior to May 4, 2018, contains a Cross-Site Search (XS-Search) vulnerability which is linked to CSRF issues affecting CSV downloads. Attackers can exploit this weakness to infer sensitive information regarding the content of bug reports through the misuse of download times, especially when requests are made with unsupported axes.

References

https://www.reddit.com/r/netsec/comments/9yiidf/xssearchi...
x_refsource_MISC
https://chromium.googlesource.com/infra/infra/+/77ef00cb5...
x_refsource_MISC
https://medium.com/%40luanherrera/xs-searching-googles-bu...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.