Unrated severityNVD Advisory· Published Dec 27, 2007· Updated Apr 23, 2026

CVE-2007-6536

Description

The Custom Button Installer dialog in Google Toolbar 4 and 5 beta presents certain domain names in the (1) "Downloaded from" and (2) "Privacy considerations" sections without verifying domain names, which makes it easier for remote attackers to spoof domain names and trick users into installing malicious button XML files, as demonstrated by presenting www.google.com when the button was downloaded from an arbitrary site through an open redirector on www.google.com.

Affected products

Google/Toolbar2 versions
cpe:2.3:a:google:toolbar:4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:google:toolbar:4:*:*:*:*:*:*:*
- cpe:2.3:a:google:toolbar:5:beta:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

aviv.raffon.net/2007/12/18/GoogleToolbarDialogSpoofingVulnerability.aspxnvdExploit
secunia.com/advisories/28166nvdVendor Advisory
securityreason.com/securityalert/3491nvd
www.osvdb.org/39499nvd
www.securityfocus.com/archive/1/485288/100/0/threadednvd
www.securityfocus.com/bid/26923nvd
exchange.xforce.ibmcloud.com/vulnerabilities/39164nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000