The danger originates with a feature in some versions of the appliance allowing a remote URL to be supplied as the path for an XSLT style sheet, used to customise the search interface, Metasploit said. "The Google Search Appliance search interface uses the 'proxystylesheet' form variable to determine what style sheet to apply to the search results. This variable can be a local file name or a HTTP URL," the organisation said in its advisory.
Input to the "proxystylesheet" parameter isn't properly sanitised, allowing attackers to execute malicious script code, what's known as a cross-site scripting attack, Metasploit said. This can be carried out via the appliance's error message system, or via a malicious XSLT style sheet.
Google claims to have been quite responsive and quick to deal with these issues, an attitude shared by HD Moore of the Metasploit Project who reported the bugs.