CVE-2010-3636

2010-11-0722:00:01

CWE-264

adobe

web.nvd.nist.gov

adobe flash player

cross-domain policy

remote code execution

cve-2010-3636

security vulnerability

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

AI Score

9.2

Confidence

High

EPSS

0.01

Percentile

83.5%

JSON

Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris, and 10.1.95.1 on Android, does not properly handle unspecified encodings during the parsing of a cross-domain policy file, which allows remote web servers to bypass intended access restrictions via unknown vectors.

Affected configurations

Nvd

Node

adobeflash_playerRange9.0–9.0.289.0

adobeflash_playerRange10.0–10.1.102.64

AND

applemac_os_xMatch-

linuxlinux_kernelMatch-

microsoftwindowsMatch-

sunsolarisMatch-

Node

adobeflash_playerRange≤10.1.95.1

AND

googleandroidMatch-

VendorProductVersionCPE
adobeflash_player*cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
applemac_os_x-cpe:2.3:o:apple:mac_os_x:-:*:*:*:*:*:*:*
linuxlinux_kernel-cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
microsoftwindows-cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
sunsolaris-cpe:2.3:o:sun:solaris:-:*:*:*:*:*:*:*
googleandroid-cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
adobe	flash_player	*	cpe:2.3:a:adobe:flash_player::::::::
apple	mac_os_x	-	cpe:2.3:o:apple:mac_os_x:-:::::::*
linux	linux_kernel	-	cpe:2.3:o:linux:linux_kernel:-:::::::*
microsoft	windows	-	cpe:2.3:o:microsoft:windows:-:::::::*
sun	solaris	-	cpe:2.3:o:sun:solaris:-:::::::*
google	android	-	cpe:2.3:o:google:android:-:::::::*