Vulnerability identifier: #VU1427
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-59
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Adobe AIR
Client/Desktop applications /
Multimedia software
Adobe Flash Player
Client/Desktop applications /
Plugins for browsers, ActiveX components
Vendor: Adobe
Description
The vulnerability allows a remote attacker to hijack the clicking action of the victim.
The vulnerability exists in IBM Security Identity Manager Virtual Appliance. A remote attacker can hijack the target user's mouse clicks and take actions on the site acting as the target user by tricking the victim into visiting a malicious web site.
Successful exploitation of this vulnerability may result in disclosure of user information.
Mitigation
Update Adobe Flash Player 9.x and earlier to version 9.0.246.0:
http://www.adobe.com/support/flashplayer/downloads.html#fp9
Update Adobe Flash Player 10.x to version 10.0.32.18:
http://www.adobe.com/go/getflashplayer
Update Adobe Air to version 1.5.2.
http://get.adobe.com/air/
Vulnerable software versions
Adobe AIR: 1.0 - 1.5.2
Adobe Flash Player: 9.0.124.0 - 10.0.32.18
External links
http://www.adobe.com/support/security/bulletins/apsb09-10.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.