Adobe Flash Player prior to 18.0.0.241 and 19.x prior to 19.0.0.185 on Windows and OS X and prior to 11.2.202.521 on Linux, Adobe AIR prior to 19.0.0.190, Adobe AIR SDK prior to 19.0.0.190, and Adobe AIR SDK & Compiler prior to 19.0.0.190 do not properly restrict the SWF file format, which allows remote malicious users to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671 and CVE-2014-5333.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
adobe flash player |
||
adobe air |
||
adobe air sdk |
||
adobe air sdk & compiler |
||
adobe flash player 14.0.0.125 |
||
adobe flash player 14.0.0.145 |
||
adobe flash player 14.0.0.176 |
||
adobe flash player 14.0.0.179 |
||
adobe flash player 15.0.0.152 |
||
adobe flash player 15.0.0.167 |
||
adobe flash player 15.0.0.189 |
||
adobe flash player 15.0.0.223 |
||
adobe flash player 15.0.0.239 |
||
adobe flash player 15.0.0.246 |
||
adobe flash player 16.0.0.235 |
||
adobe flash player 16.0.0.257 |
||
adobe flash player 16.0.0.287 |
||
adobe flash player 16.0.0.296 |
||
adobe flash player 17.0.0.134 |
||
adobe flash player 17.0.0.169 |
||
adobe flash player 17.0.0.188 |
||
adobe flash player 17.0.0.190 |
||
adobe flash player 17.0.0.191 |
||
adobe flash player 18.0.0.160 |
||
adobe flash player 18.0.0.194 |
||
adobe flash player 18.0.0.203 |
||
adobe flash player 18.0.0.209 |
||
adobe flash player 18.0.0.232 |
Vulmon