CVE-2008-2640

Name of the Vulnerable Software and Affected Versions Adobe Flex versions 3.0.1

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the Flex 3 History Management feature. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the anchor identifier to specific API endpoints, such as "client-side-detection-with-history/history/historyFrame.html", "express-installation-with-history/history/historyFrame.html", or "no-player-detection-with-history/history/historyFrame.html" in the templates/html-templates/ directory. It is noted that Firefox 2.0 and possibly other browsers prevent exploitation of this issue.

Recommendations For Adobe Flex version 3.0.1, consider disabling the History Management feature as a temporary workaround until a patch is available. Restrict access to the vulnerable API endpoints to minimize the risk of exploitation. Avoid using the anchor identifier in the affected API endpoints until the issue is resolved.