4.3
CVSSv2

CVE-2014-4671

Published: 09/07/2014 Updated: 22/09/2015
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 470
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

Adobe Flash Player prior to 13.0.0.231 and 14.x prior to 14.0.0.145 on Windows and OS X and prior to 11.2.202.394 on Linux, Adobe AIR prior to 14.0.0.137 on Android, Adobe AIR SDK prior to 14.0.0.137, and Adobe AIR SDK & Compiler prior to 14.0.0.137 do not properly restrict the SWF file format, which allows remote malicious users to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

adobe flash_player 11.2.202.223

adobe flash_player 11.2.202.228

adobe flash_player 11.2.202.233

adobe flash_player 11.2.202.235

adobe flash_player 11.2.202.236

adobe flash_player 11.2.202.238

adobe flash_player 11.2.202.243

adobe flash_player 11.2.202.251

adobe flash_player 11.2.202.258

adobe flash_player 11.2.202.261

adobe flash_player 11.2.202.262

adobe flash_player 11.2.202.270

adobe flash_player 11.2.202.273

adobe flash_player 11.2.202.275

adobe flash_player 11.2.202.280

adobe flash_player 11.2.202.285

adobe flash_player 11.2.202.291

adobe flash_player 11.2.202.297

adobe flash_player 11.2.202.310

adobe flash_player 11.2.202.332

adobe flash_player 11.2.202.335

adobe flash_player 11.2.202.336

adobe flash_player 11.2.202.341

adobe flash_player 11.2.202.346

adobe flash_player 11.2.202.350

adobe flash_player 11.2.202.356

adobe flash_player 11.2.202.359

adobe flash_player

adobe adobe air 13.0.0.83

adobe adobe air 13.0.0.111

adobe adobe air

adobe adobe air sdk 13.0.0.83

adobe adobe air sdk 13.0.0.111

adobe adobe air sdk

adobe flash_player 13.0.0.182

adobe flash_player 13.0.0.201

adobe flash_player 13.0.0.206

adobe flash_player 13.0.0.214

adobe flash_player 14.0.0.125

Vendor Advisories

A flaw was found that would lead to Cross-Site Request Forgery (CSRF) attacks ...

Metasploit Modules

Flash "Rosetta" JSONP GET/POST Response Disclosure

A website that serves a JSONP endpoint that accepts a custom alphanumeric callback of 1200 chars can be abused to serve an encoded swf payload that steals the contents of a same-domain URL. Flash < 14.0.0.145 is required. This module spins up a web server that, upon navigation from a user, attempts to abuse the specified JSONP endpoint URLs by stealing the response from GET requests to STEAL_URLS.

msf > use auxiliary/gather/flash_rosetta_jsonp_url_disclosure
      msf auxiliary(flash_rosetta_jsonp_url_disclosure) > show actions
            ...actions...
      msf auxiliary(flash_rosetta_jsonp_url_disclosure) > set ACTION <action-name>
      msf auxiliary(flash_rosetta_jsonp_url_disclosure) > show options
            ...show and set options...
      msf auxiliary(flash_rosetta_jsonp_url_disclosure) > run

Github Repositories

A tool for manipulating SWF files, leveraging zlib to craft alphanumeric-only valid SWF files in order to allow CSRF with SOP bypass thanks to JSONP abuse.

Rosetta Flash (CVE-2014-4671) Adobe Flash Player before 1300231 and 14x before 1400145 on Windows and OS X and before 112202394 on Linux, Adobe AIR before 1400137 on Android, Adobe AIR SDK before 1400137, and Adobe AIR SDK &amp; Compiler before 1400137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site reques