CVE-2014-5333
4.3
Vector
AV:N/AC:M/Au:N/C:P/I:N/A:N
Exploitability: 8.6 / Impact: 2.9
Source: NVD
Description
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671.
Affected (46)
Products: Adobe: Adobe Air, Flash Player, Adobe Air Sdk
Configuration A
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 13.0.0.231 |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 14.0.0.137 |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 11.2.202.394 |
| Running on/with | Platform Versions |
|---|---|
Linux Linux Kernel | All versions |
References (6)
Source: psirt@adobe.com
PatchVendor Advisory
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Timeline
No history available yet.