CVE-2014-5333
Adobe AIR < 14.0.0.178 - Cross-Site Request Forgery via Crafted SWF OBJECT Element
Title source: llmDescription
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
http://helpx.adobe.com/security/products/flash-player/apsb14-18.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/95418
Various Sources x_refsource_misc
http://miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/
Scores
EPSS
0.0351
EPSS Percentile
87.8%
Details
CWE
CWE-352
Status
published
Products (44)
adobe/adobe_air
13.0.0.83
adobe/adobe_air
13.0.0.111
adobe/adobe_air
14.0.0.110
adobe/adobe_air
< 14.0.0.137
adobe/adobe_air_sdk
13.0.0.83
adobe/adobe_air_sdk
13.0.0.111
adobe/adobe_air_sdk
14.0.0.110
adobe/adobe_air_sdk
< 14.0.0.137
adobe/flash_player
13.0.0.182
adobe/flash_player
13.0.0.201
... and 34 more
Published
Aug 19, 2014
Tracked Since
Feb 18, 2026