CVE-2015-3096 — Cross-Site Request Forgery in Adobe AIR

CWE-352 — Cross-Site Request Forgery7 documents7 sources

Severity

6.8MEDIUMNVD

CNA4.3OSV4.3

EPSS

0.4%

top 37.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe AIR Adobe AIR SDK Adobe AIR SDK Compiler +1 more

Timeline

PublishedJun 10

Latest updateMay 17

Description

Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X and before 11.2.202.466 on Linux, Adobe AIR before 18.0.0.144 on Windows and before 18.0.0.143 on OS X and Android, Adobe AIR SDK before 18.0.0.144 on Windows and before 18.0.0.143 on OS X, and Adobe AIR SDK & Compiler before 18.0.0.144 on Windows and before 18.0.0.143 on OS X allow remote attackers to bypass a CVE-2014-5333 protection mechanism via unspecified vectors.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶NVDadobe/flash_player13.0.0.289+18

▶NVDadobe/air_sdk_compiler17.0.0.172

▶NVDadobe/air17.0.0.144+1

▶NVDadobe/air_sdk17.0.0.172

Patches

Patch: helpx.adobe.com ↗Patch: helpx.adobe.com ↗

🔴Vulnerability Details

GHSA

GHSA-8qmf-pwhh-phx8: Adobe Flash Player before 13↗2022-05-17

▶

CVEList

CVE-2015-3096: Adobe Flash Player before 13↗2015-06-10

▶

OSV

CVE-2015-3096: Adobe Flash Player before 13↗2015-06-10

▶

📋Vendor Advisories

Red Hat

flash-plugin: cross-site request forgery against JSONP endpoints fixed in APSB15-11 (incomplete fix for CVE-2014-5333)↗2015-06-09

▶

🕵️Threat Intelligence

Zscaler

Zscaler discovers Flash Player Vulnerabilities | 06-09-2015↗

▶

💬Community

Bugzilla

CVE-2015-3096 flash-plugin: cross-site request forgery against JSONP endpoints fixed in APSB15-11 (incomplete fix for CVE-2014-5333)↗2015-06-10

▶