Rapid7 Vulnerability & Exploit Database

Cross-Site Flashing

Back to Search

Cross-Site Flashing

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
05/01/2007
Created
07/25/2018
Added
02/14/2011
Modified
06/20/2013

Description

Cross-Site Flashing occurs when user controlled data is not validated and used in one of the following functions or variables:

  • loadVariables
  • loadMovie
  • getURL
  • loadMovie
  • loadMovieNum
  • FScrollPane.loadScrollContent
  • Sound.loadSound
  • NetStream.play
  • flash.external.ExternalInterface.call
  • htmlText

In other words, this means that the Flash application must reference external URLs, and the locations of those URLs are set through user defined parameters (usually Flash Vars).

In order for this vulnerability to be successfully exploited the victim needs to click on a specially crafted link created by the attacker that will use the vulnerable Flash application in order to, for example, steal users' credentials.

Solution(s)

  • spider-actionscript-cross-site-flashing

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;