4.3

CVE-2014-5333

Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671.

Data is provided by the National Vulnerability Database (NVD)
AdobeAdobe Air Version <= 14.0.0.137
   GoogleAndroid
AdobeAdobe Air Version13.0.0.83
   GoogleAndroid
AdobeAdobe Air Version13.0.0.111
   GoogleAndroid
AdobeAdobe Air Version14.0.0.110
   GoogleAndroid
AdobeFlash Player Version <= 13.0.0.231
   ApplemacOS X
   MicrosoftWindows
AdobeFlash Player Version13.0.0.182
   ApplemacOS X
   MicrosoftWindows
AdobeFlash Player Version13.0.0.201
   ApplemacOS X
   MicrosoftWindows
AdobeFlash Player Version13.0.0.206
   ApplemacOS X
   MicrosoftWindows
AdobeFlash Player Version13.0.0.214
   ApplemacOS X
   MicrosoftWindows
AdobeFlash Player Version13.0.0.223
   ApplemacOS X
   MicrosoftWindows
AdobeFlash Player Version14.0.0.125
   ApplemacOS X
   MicrosoftWindows
AdobeFlash Player Version14.0.0.145
   ApplemacOS X
   MicrosoftWindows
AdobeAdobe Air Sdk Version <= 14.0.0.137
AdobeAdobe Air Sdk Version13.0.0.83
AdobeAdobe Air Sdk Version13.0.0.111
AdobeAdobe Air Sdk Version14.0.0.110
AdobeFlash Player Version <= 11.2.202.394
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.223
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.228
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.233
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.235
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.236
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.238
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.243
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.251
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.258
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.261
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.262
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.270
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.273
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.275
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.280
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.285
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.291
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.297
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.310
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.332
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.335
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.336
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.341
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.346
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.350
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.356
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.359
   LinuxLinux Kernel
AdobeFlash Player Version11.2.202.378
   LinuxLinux Kernel
AdobeAdobe Air Version <= 14.0.0.110
   ApplemacOS X
   MicrosoftWindows
AdobeAdobe Air Version13.0.0.83
   ApplemacOS X
   MicrosoftWindows
AdobeAdobe Air Version13.0.0.111
   ApplemacOS X
   MicrosoftWindows
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.33% 0.55
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.