⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2013-5331Code Injection in Adobe AIR

CWE-94Code Injection8 documents8 sources
Severity
9.3CRITICALNVD
EPSS
87.4%
top 0.54%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
3
Adobe AIRAdobe AIR SDKAdobe Flash Player
Timeline
PublishedDec 11
Latest updateMay 14

Description

Adobe Flash Player before 11.7.700.257 and 11.8.x and 11.9.x before 11.9.900.170 on Windows and Mac OS X and before 11.2.202.332 on Linux, Adobe AIR before 3.9.0.1380, Adobe AIR SDK before 3.9.0.1380, and Adobe AIR SDK & Compiler before 3.9.0.1380 allow remote attackers to execute arbitrary code via crafted .swf content that leverages an unspecified "type confusion," as exploited in the wild in December 2013.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages3 packages

NVDadobe/flash_player11.011.7.700.257+3
NVDadobe/air< 3.9.0.1380
NVDadobe/air_sdk< 3.9.0.1380

Patches

Patch: helpx.adobe.comPatch: helpx.adobe.com

🔴Vulnerability Details

3
GHSA
GHSA-57g5-r5h9-q5pf: Adobe Flash Player before 112022-05-14
CVEList
CVE-2013-5331: Adobe Flash Player before 112013-12-11
VulnCheck
Adobe Flash Player Improper Control of Generation of Code ('Code Injection')2013

💥Exploits & PoCs

2
Exploit-DB
Adobe Flash Player - Type Confusion Remote Code Execution (Metasploit)2014-04-29
Metasploit
Adobe Flash Player Type Confusion Remote Code Execution

📋Vendor Advisories

1
Red Hat
flash-plugin: multiple code execution flaws (APSB13-28)2013-12-10

💬Community

1
Bugzilla
CVE-2013-5331 CVE-2013-5332 flash-plugin: multiple code execution flaws (APSB13-28)2013-12-10
CVE-2013-5331 — Code Injection in Adobe AIR | cvebase