CVE-2011-2461 : Cross-site scripting (XSS) vulnerability in the Adobe Flex SDK 3.x and 4.x befor

Cross-site scripting (XSS) vulnerability in the Adobe Flex SDK 3.x and 4.x before 4.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to the loading of modules from different domains.

Published 2011-12-01 11:55:06

Updated 2017-11-09 02:29:00

Source Adobe Systems Incorporated

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2011-2461

Adobe » Flex Sdk » Version: 3.0
cpe:2.3:a:adobe:flex_sdk:3.0:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 3.5a
cpe:2.3:a:adobe:flex_sdk:3.5a:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 3.6
cpe:2.3:a:adobe:flex_sdk:3.6:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 3.0.1
cpe:2.3:a:adobe:flex_sdk:3.0.1:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 3.1
cpe:2.3:a:adobe:flex_sdk:3.1:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 3.2
cpe:2.3:a:adobe:flex_sdk:3.2:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 4.0
cpe:2.3:a:adobe:flex_sdk:4.0:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 4.1
cpe:2.3:a:adobe:flex_sdk:4.1:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 3.4.1
cpe:2.3:a:adobe:flex_sdk:3.4.1:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 3.5
cpe:2.3:a:adobe:flex_sdk:3.5:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 3.3
cpe:2.3:a:adobe:flex_sdk:3.3:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 3.4
cpe:2.3:a:adobe:flex_sdk:3.4:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 4.5
cpe:2.3:a:adobe:flex_sdk:4.5:*:*:*:*:*:*:*
Matching versions
Adobe » Flex Sdk » Version: 4.5.1
cpe:2.3:a:adobe:flex_sdk:4.5.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2011-2461

EPSS FAQ

10.81%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 93 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2011-2461

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2011-2461

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-2461

http://packetstormsecurity.com/files/131376/Magento-eCommerce-Vulnerable-Adobe-Flex-SDK.html

Magento eCommerce Vulnerable Adobe Flex SDK ≈ Packet Storm
Exploit
https://threatpost.com/adobe-cve-2011-2461-remains-exploitable-four-years-after-patch/111754

Adobe CVE-2011-2461 Remains Exploitable Via Flex Four Years After Patch | Threatpost
http://www.adobe.com/support/security/bulletins/apsb11-25.html

Adobe - Security Bulletins: APSB11-25 - Security update available for Flex SDK
Vendor Advisory
http://kb2.adobe.com/cps/915/cpsid_91544.html

Flex Security Issue APSB11-25
http://blog.mindedsecurity.com/2015/03/the-old-is-new-again-cve-2011-2461-is.html

Minded Security Blog: The old is new, again. CVE-2011-2461 is back!
http://blog.nibblesec.org/2015/03/the-old-is-new-again-cve-2011-2461-is.html

Nibble Security: The old is new, again. CVE-2011-2461 is back!

Jump to

Vulnerability Details : CVE-2011-2461

Products affected by CVE-2011-2461

Exploit prediction scoring system (EPSS) score for CVE-2011-2461

CVSS scores for CVE-2011-2461

CWE ids for CVE-2011-2461

References for CVE-2011-2461