← Back

CVE-2015-5571

nvd nist
Published: Sep 22, 2015Modified: May 6, 2026

JSON object

Loading...
4.3
Vector
AV:N/AC:M/Au:N/C:P/I:N/A:N
Exploitability: 8.6 / Impact: 2.9
Source: NVD

Description

Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671 and CVE-2014-5333.

Affected (30)

Adobe
4 products
Flash Player
Air
Air Sdk
Air Sdk & Compiler
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Flash Player
Up to 11.2.202.508
Running on/withPlatform Versions
Linux
Linux Kernel
All versions
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Air
Up to 18.0.0.199
Air Sdk
Up to 18.0.0.199
Air Sdk & Compiler
Up to 18.0.0.180
Configuration C
25 vulnerable · 2 platform
Vulnerable SoftwareAffected Versions
Adobe
Flash Player
Up to 13.0.0.289
Flash Player
Version 14.0.0.125
Flash Player
Version 14.0.0.145
Flash Player
Version 14.0.0.176
Flash Player
Version 14.0.0.179
Flash Player
Version 15.0.0.152
Flash Player
Version 15.0.0.167
Flash Player
Version 15.0.0.189
Flash Player
Version 15.0.0.223
Flash Player
Version 15.0.0.239
Flash Player
Version 15.0.0.246
Flash Player
Version 16.0.0.235
Flash Player
Version 16.0.0.257
Flash Player
Version 16.0.0.287
Flash Player
Version 16.0.0.296
Flash Player
Version 17.0.0.134
Flash Player
Version 17.0.0.169
Flash Player
Version 17.0.0.188
Flash Player
Version 17.0.0.190
Flash Player
Version 17.0.0.191
Flash Player
Version 18.0.0.160
Flash Player
Version 18.0.0.194
Flash Player
Version 18.0.0.203
Flash Player
Version 18.0.0.209
Flash Player
Version 18.0.0.232
Running on/withPlatform Versions
Apple
Mac Os X
All versions
Microsoft
Windows
All versions
Configuration D
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Air
Up to 18.0.0.143
Running on/withPlatform Versions
Google
Android
All versions

Related CWEs

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (26)

Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
Source: psirt@adobe.com
PatchVendor Advisory
Source: psirt@adobe.com
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.