NVD

Id
33033  
Name
CVE-2014-5333  
Description
Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a "$" (dollar sign) or "(" (open parenthesis) character. NOTE: this issue exists because of an incomplete fix for CVE-2014-4671.  
Reject
 
CVSS Version
2  
CVSS Score
4.3  
Severity
Medium  
CVSS Base Score
4.3  
CVSS Impact Subscore
2.9  
CVSS Exploit Subscore
8.6  
CVSS Vector
(AV:N/AC:M/Au:N/C:P/I:N/A:N)  
Pub Date
2017-01-19  
Published
2014-08-19  
Modified Date
2017-01-06  
Seq
2014-5333  

Actions

Related NVD References

Id NVD Id NVD No. Reference Actions
173335 33033 CVE-2014-5333 http://helpx.adobe.com/security/products/flash-player/apsb14-18.html  View
173336 33033 CVE-2014-5333 http://miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/  View
173337 33033 CVE-2014-5333 adobe-cve20145333-csrf(95418)  View

Related JVN

Id Name Title Summary Cveinfo Name Cveinfo Id Nvdinfo Name Nvdinfo Id Cvssv2 Cvssv3 Jvnurl Published Date Last Updated Date Actions
14976 JVNDB-2014-003851 Adobe Flash Player および Adobe AIR におけるクロスサイトリクエストフォージェリ攻撃を実行される脆弱性 Adobe Flash Player および Adobe AIR は、SWF ファイルフォーマットを適切に制限しないため、JSONP エンドポイントに対してクロスサイトリクエストフォージェリ攻撃を実行され、重要な情報を取得される脆弱性が存在します。 CVE-2014-5333 72622 CVE-2014-5333 33033 6.8 http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-003851.html 2014-08-12 2014-08-26 View