Title: Adobe Flash Player SWFs in Dreamweaver and Acrobat Unspecified Cross-Site Scripting Vulnerabilities
Severity: MODERATE
Description:
Adobe Dreamweaver and Acrobat Connect include pre-generated SWF files. SWFs (Shock Wave Files) are Flash media files played via Adobe Flash Player.
Some of the pre-generated SWF files included are prone to cross-site scripting vulnerabilities.
UPDATE: These issues affect the 'FLVPlayer_Progressive.swf' and 'FLVPlayer_Streaming.swf' files. Code generated with the 'Insert Flash Video' command in Dreamweaver and code generated by Adobe Presenter for use with Adobe Connect may also be affected. Please see the referenced advisories for more information about affected products and updates.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The affected SWF files are included with Dreamweaver CS3 and Acrobat Connect. However, the applications themselves are not affected.
Affected Products:
- Adobe AIR 1.0
- Adobe Flash Basic 8
- Adobe Flash CS3 Professional
- Adobe Flash Player 7.0.69.0
- Adobe Flash Player 7.0.70.0
- Adobe Flash Player 8.0.34.0
- Adobe Flash Player 8.0.35.0
- Adobe Flash Player 9.0.115.0
- Adobe Flash Player 9.0.28.0
- Adobe Flash Player 9.0.31.0
- Adobe Flash Player 9.0.45.0
- Adobe Flash Player 9.0.47.0
- Adobe Flash Player 9.0.48.0
- Adobe Flash Player Plugin 7.0.25
- Adobe Flash Player Plugin 7.0.63
- Adobe Flash Player Plugin 8.0.0
- Adobe Flash Player Plugin 9.0.16
- Adobe Flash Player Plugin 9.0.18d60
- Adobe Flash Player Plugin 9.0.20 .0
- Adobe Flash Player Plugin 9.0.28 .0
- Adobe Flash Player Plugin 9.0.31 .0
- Adobe Flash Professional 8
- Adobe Flex 3.0
- Apple Mac OS X 10.4.11
- Apple Mac OS X 10.5
- Apple Mac OS X 10.5.1
- Apple Mac OS X 10.5.2
- Apple Mac OS X Server 10.4.11
- Apple Mac OS X Server 10.5
- Apple Mac OS X Server 10.5.1
- Apple Mac OS X Server 10.5.2
- Gentoo Linux
- Nortel Networks Self-Service
- Nortel Networks Self-Service - CCSS7
- Nortel Networks Self-Service MPS 1000
- Nortel Networks Self-Service Media Processing Server
- Nortel Networks Self-Service Peri Application
- Nortel Networks Self-Service Peri Workstation
- RedHat Enterprise Linux Desktop Supplementary 5 client
- RedHat Enterprise Linux Extras 3
- RedHat Enterprise Linux Extras 4
- RedHat Enterprise Linux Supplementary 5 server
- S.u.S.E. Linux 10.1 ppc
- S.u.S.E. Linux 10.1 x86
- S.u.S.E. Linux 10.1 x86-64
- S.u.S.E. Novell Linux Desktop 9
- S.u.S.E. SUSE Linux Enterprise Desktop 10 SP1
- S.u.S.E. openSUSE 10.2
- S.u.S.E. openSUSE 10.3
- Sun OpenSolaris build snv_88
- Sun Solaris 10.0
- Sun Solaris 10.0_x86
- Turbolinux FUJI
- Turbolinux wizpy
References:
- Adobe: APSA07-06 - Vulnerabilities in some SWF files could allow cross-site scripting
- Adobe: APSB08-01 - Update to Dreamweaver and Contribute to address potential cross-site
- Adobe: APSB08-02 - Update available for Adobe Connect Enterprise Server cross-site scri
- Adobe: APSB08-11 Flash Player update available to address security vulnerabilities
- Adobe: Adobe Flash Homepage
- Adobe: Install Adobe Flash Player
- Nortel Networks: Nortel Response to Sun Alert 238305 - Multiple Security Vulnerabilities in Flash
- Red Hat: RHSA-2008:0221-3: Critical: flash-plugin security update
- Sun Microsystems: Solution 238305: Multiple Security Vulnerabilities in Flash Player for Solaris
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
