Flash Player < 9.0.289 / 10.1.102.64 Multiple Vulnerabilities (APSB10-26)

medium Nessus Network Monitor Plugin ID 5699
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host contains a browser plugin that is vulnerable to multiple attack vectors.

Description

The remote host has Adobe Flash Player installed. Versions of Flash Player 9.x earlier than 9.0.289 and 10.x earlier than 10.1.102.64 are potentially affected by multiple vulnerabilities :

- A memory corruption vulnerability exists that could lead to code execution. Note that there are reports that this is being actively exploited in the wild. (CVE-2010-3654)
- An input validation issue exists that could lead to a bypass of cross-domain policy file restrictions with certain server encodings. (CVE-2010-3636)
- A memory corruption vulnerability exists in the ActiveX component. (CVE-2010-3637)
- An unspecified information disclosure vulnerability exists. Note that this issue only affects Flash Player on Safari. (CVE-2010-3638)
- An unspecified issue exists which could lead to a denial-of-service or potentially arbitrary code execution. (CVE-2010-3639)
- Multiple memory corruption issues exists that could lead to arbitrary code execution. (CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652)
- A library-loading vulnerability could lead to code execution. (CVE-2010-3639)

Solution

Upgrade to Flash Player 10.1.102.64 / 9.0.289 or later.

See Also

http://www.adobe.com/support/security/bulletins/apsb10-26.html

Plugin Details

Severity: Medium

ID: 5699

Family: Web Clients

Published: 11/5/2010

Updated: 3/6/2019

Dependencies: 5783

Nessus ID: 50493

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*

Patch Publication Date: 11/4/2010

Vulnerability Publication Date: 9/10/2010

Exploitable With

CANVAS (CANVAS)

Metasploit (Adobe Flash Player "Button" Remote Code Execution)

Reference Information

CVE: CVE-2010-3654, CVE-2010-3636, CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652, CVE-2010-3637, CVE-2010-3638, CVE-2010-3976

BID: 44504, 44675, 44677, 44678, 44679, 44680, 44681, 44682, 44683, 44684, 44685, 44686, 44687, 44691, 44692, 44669, 44671, 44690, 44693