CVE-2010-3636Permissive Cross-domain Security Policy with Untrusted Domains in Adobe Flash Player

CWE-264CWE-942Permissive Cross-domain Security Policy with Untrusted Domains5 documents5 sources
Severity
9.3CRITICALNVD
EPSS
1.7%
top 17.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Adobe Flash Player
Timeline
PublishedNov 7
Latest updateMay 13

Description

Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris, and 10.1.95.1 on Android, does not properly handle unspecified encodings during the parsing of a cross-domain policy file, which allows remote web servers to bypass intended access restrictions via unknown vectors.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages1 packages

NVDadobe/flash_player9.09.0.289.0+2

Patches

Patch: www.adobe.comPatch: www.adobe.com

🔴Vulnerability Details

1
GHSA
GHSA-r3hm-9frm-fwcf: Adobe Flash Player before 92022-05-13

📋Vendor Advisories

1
Red Hat
flash-plugin: security bulletin APSB10-262010-11-04

📐Framework References

1
CWE
Permissive Cross-domain Security Policy with Untrusted Domains

💬Community

1
Bugzilla
flash-plugin: security bulletin APSB10-262010-11-04