Summary
The remote host is probably affected by the vulnerabilities described in CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654, CVE-2008-1655
Impact
CVE 2007-5275
The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause a victim machine to establish TCP sessions with arbitrary hosts via a Flash (SWF) movie, related to lack of pinning of a hostname to a single IP address after receiving an allow-access-from element in a cross-domain-policy XML document, and the availability of a Flash Socket class that does not use the browser's DNS pins, aka DNS rebinding attacks, a different issue than CVE-2002-1467 and CVE-2007-4324.
CVE 2007-6019
Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows remote attackers to execute arbitrary code via an SWF file with a modified DeclareFunction2 Actionscript tag, which prevents an object from being instantiated properly.
CVE 2007-6243
Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up to 7.0.70.0 does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks.
CVE 2007-6637
Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player allow remote attackers to inject arbitrary web script or HTML via a crafted SWF file, related to 'pre-generated SWF files' and Adobe Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the asfunction: vector is already covered by CVE-2007-6244.1.
CVE 2008-1654
Interaction error between Adobe Flash and multiple Universal Plug and Play (UPnP) services allow remote attackers to perform Cross-Site Request Forgery (CSRF) style attacks by using the Flash navigateToURL function to send a SOAP message to a UPnP control point, as demonstrated by changing the primary DNS server.
CVE 2008-1655
Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, makes it easier for remote attackers to conduct DNS rebinding attacks via unknown vectors.
Solution
All Adobe Flash Player users should upgrade to the latest version:
References
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5275
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6019
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6243
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6637
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1654
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1655
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2007-5275, CVE-2007-6019, CVE-2007-6243, CVE-2007-6637, CVE-2008-1654, CVE-2008-1655 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Adobe Acrobat and Reader PDF Handling Multiple Vulnerabilities (Windows)
- Adobe AIR Multiple Vulnerabilities -01 Feb13 (Mac OS X)
- Adobe AIR Security Bypass Vulnerability Jan14 (Windows)
- Adobe Acrobat Out-of-bounds Vulnerability Feb15 (Windows)
- Adobe Acrobat and Reader Multiple Vulnerabilities -July10 (Windows)