#VU5477 Information disclosure in Adobe products - CVE-2015-3125

Cybersecurity Help s.r.o.

Published: 2017-01-30 | Updated: 2017-02-22

Vulnerability identifier: #VU5477

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-3125

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Adobe AIR
Client/Desktop applications / Multimedia software
Adobe Flash Player for Linux
Client/Desktop applications / Plugins for browsers, ActiveX components
Adobe Flash Player
Client/Desktop applications / Plugins for browsers, ActiveX components
Adobe Flash Player Extended Support Release
Client/Desktop applications / Plugins for browsers, ActiveX components

Vendor: Adobe

Description
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can bypass the same-origin-policy and gain access to important data.

Successful exploitation of this vulnerability results in information disclosure on the vulnerable system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Adobe AIR: 18.0.0.144 - 18.0.0.180

Adobe Flash Player for Linux: 11.2.202.332 - 11.2.202.481

Adobe Flash Player: 18.0.0 - 18.0.0.203

Adobe Flash Player Extended Support Release: 13.0.0.260 - 13.0.0.302

External links
https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Adobe Flash Player

SUSE Linux update for flash-player

Multiple vulnerabilities in Adobe Flash Player