cbcvebase.
CVE-2007-6244
published 2007-12-20

CVE-2007-6244: Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player 9.x up to 9.0.48.0 and 8.x up to 8.0.35.0 allow remote attackers to inject arbitrary…

PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
12.93%
95.8th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player 9.x up to 9.0.48.0 and 8.x up to 8.0.35.0 allow remote attackers to inject arbitrary web script or HTML via (1) a SWF file that uses the asfunction: protocol or (2) the navigateToURL function when used with the Flash Player ActiveX Control in Internet Explorer.

Affected

19 ranges
VendorProductVersion rangeFixed in
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/main.swf?baseurl=asfunction:getURL,javascript:alert(1)//
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30907.as
otherasfunction:getURL,javascript:
  • Detect XSS attempts via the asfunction: protocol in SWF file URL parameters (e.g., ?baseurl=asfunction:getURL,javascript:...)
  • Monitor Flash Player ActiveX Control usage of the navigateToURL API for cross-domain JavaScript execution in Internet Explorer
  • Flag HTTP requests to .swf files containing 'asfunction:' in query string parameters as potential XSS exploitation attempts
  • Inspect SWF files for use of pre-generated or crafted SWF content related to Adobe Dreamweaver CS3 or Adobe Acrobat Connect as potential XSS vectors
  • ·Vulnerability affects Adobe Flash Player 9.x up to and including 9.0.48.0 and 8.x up to and including 8.0.35.0; versions outside this range are not affected by this CVE
  • ·The navigateToURL attack vector is specific to the Flash Player ActiveX Control running in Internet Explorer; other browsers are not affected by that particular vector
  • ·The asfunction: XSS vector for CVE-2007-6637 is already covered under CVE-2007-6244; avoid double-counting detections

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.