Description Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671 and CVE-2014-5333.
Severity: MEDIUM (4.3)
Published: Sept. 22, 2015
Modified: Feb. 17, 2017
Error type identifier: CWE-352 ,
CWE-200 Fixed packages References to Advisories, Solutions, and Tools Affected configurations: cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
Running on/with:
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
Running on/with:
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Running on/with:
cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:17.0.0.191:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:18.0.0.203:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:18.0.0.209:*:*:*:*:*:*:*
cpe:2.3:a:adobe:flash_player:18.0.0.232:*:*:*:*:*:*:*
Running on/with:
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Running on/with:
cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*
Running on/with:
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*