CVE-2014-4671

Name of the Vulnerable Software and Affected Versions Adobe Flash Player versions prior to 13.0.0.231 Adobe Flash Player versions 14.x prior to 14.0.0.145 Adobe AIR versions prior to 14.0.0.137 Adobe AIR SDK versions prior to 14.0.0.137 Adobe AIR SDK & Compiler versions prior to 14.0.0.137 hapi versions 6.1.0 and earlier

Description The issue exists due to the incorrect restriction of the SWF file format, allowing remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints and obtain sensitive information. This can be achieved by using specially crafted OBJECT elements with SWF content that satisfies the character-set requirements of a callback API. The exploitation of this issue enables attackers to send data across domains and break the browser's same-origin policy.

Recommendations For Adobe Flash Player versions prior to 13.0.0.231, update to version 13.0.0.231 or later. For Adobe Flash Player versions 14.x prior to 14.0.0.145, update to version 14.0.0.145 or later. For Adobe AIR versions prior to 14.0.0.137, update to version 14.0.0.137 or later. For Adobe AIR SDK versions prior to 14.0.0.137, update to version 14.0.0.137 or later. For Adobe AIR SDK & Compiler versions prior to 14.0.0.137, update to version 14.0.0.137 or later. For hapi versions 6.1.0 and earlier, update to version 6.1.1 or later. As a temporary workaround for hapi, consider prepending callbacks with an empty inline comment to cause the flash parser to break on invalid inputs and prevent the issue.