Vulnerability Details : CVE-2014-5333
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '$' (dollar sign) or '(' (open parenthesis) character. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2014-5333
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.228:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.235:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.233:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.238:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.243:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.223:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.236:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.262:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.261:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.273:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.251:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.258:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.270:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.275:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.285:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.280:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.335:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.332:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.297:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.291:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.310:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.341:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.336:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:13.0.0.201:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:13.0.0.206:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:13.0.0.182:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.346:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.356:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.350:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:13.0.0.214:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:13.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.378:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:flash_player:11.2.202.359:*:*:*:*:*:*:*When used together with: Linux » Linux Kernel
- cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:13.0.0.83:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:13.0.0.111:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:14.0.0.110:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.83:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.111:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air_sdk:14.0.0.110:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-5333
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-5333
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-5333
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5333
-
http://helpx.adobe.com/security/products/flash-player/apsb14-18.html
Adobe Security BulletinPatch;Vendor Advisory
-
http://miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/
Michele Spagnuolo - Blog
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95418
Adobe Flash Player JSONP cross-site request forgery CVE-2014-5333 Vulnerability Report
Jump to