fkie_cve-2014-4671
Vulnerability from fkie_nvd
Published
2014-07-09 05:04
Modified
2025-04-12 10:46
Severity ?
Summary
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.
References
cve@mitre.orghttp://helpx.adobe.com/security/products/flash-player/apsb14-17.htmlVendor Advisory
cve@mitre.orghttp://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/Exploit
cve@mitre.orghttp://rhn.redhat.com/errata/RHSA-2014-0860.html
cve@mitre.orghttp://secunia.com/advisories/59774
cve@mitre.orghttp://secunia.com/advisories/59837
cve@mitre.orghttp://security.gentoo.org/glsa/glsa-201407-02.xml
cve@mitre.orghttp://www.securityfocus.com/bid/68457
cve@mitre.orghttp://www.securitytracker.com/id/1030533
af854a3a-2127-422b-91ae-364da2661108http://helpx.adobe.com/security/products/flash-player/apsb14-17.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/Exploit
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2014-0860.html
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/59774
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/59837
af854a3a-2127-422b-91ae-364da2661108http://security.gentoo.org/glsa/glsa-201407-02.xml
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/68457
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1030533
Impacted products
Vendor Product Version
adobe flash_player *
adobe flash_player 11.2.202.223
adobe flash_player 11.2.202.228
adobe flash_player 11.2.202.233
adobe flash_player 11.2.202.235
adobe flash_player 11.2.202.236
adobe flash_player 11.2.202.238
adobe flash_player 11.2.202.243
adobe flash_player 11.2.202.251
adobe flash_player 11.2.202.258
adobe flash_player 11.2.202.261
adobe flash_player 11.2.202.262
adobe flash_player 11.2.202.270
adobe flash_player 11.2.202.273
adobe flash_player 11.2.202.275
adobe flash_player 11.2.202.280
adobe flash_player 11.2.202.285
adobe flash_player 11.2.202.291
adobe flash_player 11.2.202.297
adobe flash_player 11.2.202.310
adobe flash_player 11.2.202.332
adobe flash_player 11.2.202.335
adobe flash_player 11.2.202.336
adobe flash_player 11.2.202.341
adobe flash_player 11.2.202.346
adobe flash_player 11.2.202.350
adobe flash_player 11.2.202.356
adobe flash_player 11.2.202.359
linux linux_kernel *
adobe adobe_air *
adobe adobe_air 13.0.0.83
adobe adobe_air 13.0.0.111
adobe adobe_air_sdk *
adobe adobe_air_sdk 13.0.0.83
adobe adobe_air_sdk 13.0.0.111
adobe flash_player *
adobe flash_player 13.0.0.182
adobe flash_player 13.0.0.201
adobe flash_player 13.0.0.206
adobe flash_player 13.0.0.214
adobe flash_player 14.0.0.125
apple mac_os_x *
microsoft windows *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6EE848A-771C-4A59-8BFD-CFED00CBD1FD",
              "versionEndIncluding": "11.2.202.378",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.223:*:*:*:*:*:*:*",
              "matchCriteriaId": "146E1EAC-B9AF-4511-A0DC-A048428E3B68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.228:*:*:*:*:*:*:*",
              "matchCriteriaId": "5AFBB9EA-1A66-4FBC-BF89-7DF04FDD6788",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.233:*:*:*:*:*:*:*",
              "matchCriteriaId": "39065E60-3680-4384-95C0-EF4F874D2400",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.235:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B0603B3-5C98-422D-A49D-EBE1798DAE69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.236:*:*:*:*:*:*:*",
              "matchCriteriaId": "5AC7882D-1577-4CEA-B1C0-0FEBC91A441A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.238:*:*:*:*:*:*:*",
              "matchCriteriaId": "CED86796-B721-49B1-A021-82FA769FA024",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.243:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF7843C6-628A-4091-8A09-6E126A89870E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.251:*:*:*:*:*:*:*",
              "matchCriteriaId": "472F569C-0FD5-4F61-A4D6-258A8A9C4008",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.258:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E91A468-191C-4A2D-B1B6-0DDE8BB1C1D8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.261:*:*:*:*:*:*:*",
              "matchCriteriaId": "47F94E94-C190-4559-8FF6-FEEE6634B67B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.262:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CC3FDE1-44FD-4BC3-BB43-C44C94D3F794",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.270:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE46E137-5298-44FA-B40C-6079C9AEE60F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.273:*:*:*:*:*:*:*",
              "matchCriteriaId": "D14EAFB3-3718-466F-8EB2-61D00D569251",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.275:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD3390A0-8EB6-424E-96AC-B87E22D6FF6E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.280:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCD935A5-D923-48CC-9699-977C5123D52C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.285:*:*:*:*:*:*:*",
              "matchCriteriaId": "5AABFF8D-2C2A-4B8B-9DE2-C74EECEDD86F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.291:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD0EF3E4-C91F-4AD4-91E7-A10DC66DE4A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.297:*:*:*:*:*:*:*",
              "matchCriteriaId": "3DDB9C24-953C-4268-8C4A-E7C0F021698E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.310:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8474A98-24F4-43E5-9402-319F68A9880B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.332:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CD7F4E8-742E-4264-84EE-22D9E3CB3C76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.335:*:*:*:*:*:*:*",
              "matchCriteriaId": "97DBA814-D400-440C-BEEA-AB1913F783C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.336:*:*:*:*:*:*:*",
              "matchCriteriaId": "9CDA6379-D70E-476C-82C5-C916C13CA081",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.341:*:*:*:*:*:*:*",
              "matchCriteriaId": "515589AD-8CC1-46CE-9F9A-BAAD725E2C8F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.346:*:*:*:*:*:*:*",
              "matchCriteriaId": "308488AB-3D95-4231-8201-BF4EE5C9C151",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.350:*:*:*:*:*:*:*",
              "matchCriteriaId": "DDB40406-277E-4BF5-ADCF-BE16B1CF390B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.356:*:*:*:*:*:*:*",
              "matchCriteriaId": "33165339-9DCC-46B2-B22F-CF31D26175D7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:11.2.202.359:*:*:*:*:*:*:*",
              "matchCriteriaId": "28AB62F3-9CB0-4ED8-9785-2B4878BB101D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "155AD4FB-E527-4103-BCEF-801B653DEA37",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1601647A-06A7-4D82-9BF0-5DCAAC5A2114",
              "versionEndIncluding": "14.0.0.110",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:adobe_air:13.0.0.83:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C898203-9D6E-4430-8905-C28180F954E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:adobe_air:13.0.0.111:*:*:*:*:*:*:*",
              "matchCriteriaId": "434B6846-3ED5-4F23-88D1-567668EE8E94",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4010CF1-D0B6-46FD-97DF-6F546881AFA6",
              "versionEndIncluding": "14.0.0.110",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.83:*:*:*:*:*:*:*",
              "matchCriteriaId": "B005E5AC-DD7D-413E-92A2-4E8D7F3F2D7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.111:*:*:*:*:*:*:*",
              "matchCriteriaId": "F228403E-68B3-4B18-B120-066346D80891",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C96C2CD0-3CBE-4770-B1CC-1A53BEE493A0",
              "versionEndIncluding": "13.0.0.223",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:13.0.0.182:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3DD6547-ABEE-4734-87AA-BD3E247226B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:13.0.0.201:*:*:*:*:*:*:*",
              "matchCriteriaId": "0732FFB7-4BFD-499D-A166-9128F3DABA0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:13.0.0.206:*:*:*:*:*:*:*",
              "matchCriteriaId": "C282F91D-C1FE-4CC7-A33D-8E43F85DF168",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:13.0.0.214:*:*:*:*:*:*:*",
              "matchCriteriaId": "11E8C1F3-83AA-468B-8F5A-285F3BD19CC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5D7202D-56DF-400B-9F09-E7D9938222D3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0FF5999A-9D12-4CDD-8DE9-A89C10B2D574",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK \u0026 Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API."
    },
    {
      "lang": "es",
      "value": "Adobe Flash Player anterior a 13.0.0.231 y 14.x anterior a 14.0.0.145 en Windows y OS X y anterior a 11.2.202.394 en Linux, Adobe AIR anterior a 14.0.0.137 en Android, Adobe AIR SDK anterior a 14.0.0.137 y Adobe AIR SDK \u0026 Compiler anterior a 14.0.0.137 no restringen debidamente el formatos de ficheros SWF, lo que permitte a atacantes remotos realizar ataques de CSRF contra Endpoints JSONP, y obtener informaci\u00f3n sensible, a trav\u00e9s de un elemento OBJECT manipulado con contenido SWF que satisface los requisitos de la configuraci\u00f3n de caracteres de una API de devoluci\u00f3n de llamadas."
    }
  ],
  "id": "CVE-2014-4671",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-07-09T05:04:24.960",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://helpx.adobe.com/security/products/flash-player/apsb14-17.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0860.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/59774"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/59837"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://security.gentoo.org/glsa/glsa-201407-02.xml"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/68457"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id/1030533"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://helpx.adobe.com/security/products/flash-player/apsb14-17.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0860.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/59774"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/59837"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://security.gentoo.org/glsa/glsa-201407-02.xml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/68457"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1030533"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.