HTTP: Adobe Flash Player and AIR CVE-2014-4671 Cross-Site Requeset Forgery
This signature detects attempts to exploit a known vulnerability against Adobe Flash Player and AIR. A successful attack can lead to cross-site request forgery attacks and unauthorized session hijack.
Extended Description
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.
Affected Products
Adobe adobe_air
Short Name
HTTP:STC:ADOBE:CVE-2014-4671
Severity
Minor
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
AIR Adobe CVE-2014-4671 Cross-Site Flash Forgery Player Requeset and bid:68457
Release Date
08/06/2014
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3761
False Positive
Unknown
Vendors
Adobe
CVSS Score
4.3