CVE-2014-4671

Exploit

EPSS 35.83%
Published 09.07.2014 05:04:24
Last modified 12.04.2025 10:46:40
Source cve@mitre.org
Teams watchlist Login
Open Login

Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.

Affected products Warnungen 0 Metrics 2 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

Adobe ≫ Flash Player Version <= 11.2.202.378

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.223

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.228

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.233

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.235

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.236

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.238

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.243

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.251

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.258

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.261

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.262

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.270

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.273

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.275

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.280

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.285

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.291

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.297

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.310

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.332

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.335

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.336

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.341

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.346

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.350

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.356

Linux ≫ Linux Kernel

Adobe ≫ Flash Player Version11.2.202.359

Linux ≫ Linux Kernel

Adobe ≫ Adobe Air Version <= 14.0.0.110

Adobe ≫ Adobe Air Version13.0.0.83

Adobe ≫ Adobe Air Version13.0.0.111

Adobe ≫ Adobe Air Sdk Version <= 14.0.0.110

Adobe ≫ Adobe Air Sdk Version13.0.0.83

Adobe ≫ Adobe Air Sdk Version13.0.0.111

Adobe ≫ Flash Player Version <= 13.0.0.223

Apple ≫ macOS X
Microsoft ≫ Windows

Adobe ≫ Flash Player Version13.0.0.182

Apple ≫ macOS X
Microsoft ≫ Windows

Adobe ≫ Flash Player Version13.0.0.201

Apple ≫ macOS X
Microsoft ≫ Windows

Adobe ≫ Flash Player Version13.0.0.206

Apple ≫ macOS X
Microsoft ≫ Windows

Adobe ≫ Flash Player Version13.0.0.214

Apple ≫ macOS X
Microsoft ≫ Windows

Adobe ≫ Flash Player Version14.0.0.125

Apple ≫ macOS X
Microsoft ≫ Windows

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	35.83%	0.97

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://helpx.adobe.com/security/products/flash-player/apsb14-17.html

Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2014-0860.html

http://secunia.com/advisories/59774

http://secunia.com/advisories/59837

http://security.gentoo.org/glsa/glsa-201407-02.xml

http://www.securitytracker.com/id/1030533

http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

Exploit

http://www.securityfocus.com/bid/68457

https://nvd.nist.gov/vuln/detail/CVE-2014-4671

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-4671

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-4671

EUVD