CVE-2012-0767
Published: 16 February 2012
Summary
CVE-2012-0767 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Flash Player. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a cross-site scripting flaw, tracked as CWE-79 and described as a Universal XSS issue, that exists in Adobe Flash Player. It affects versions prior to 10.3.183.15 and 11.x prior to 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; versions prior to 11.1.111.6 on Android 2.x and 3.x; and versions prior to 11.1.115.6 on Android 4.x. The flaw permits injection of arbitrary web script or HTML through unspecified vectors and carries a CVSS 3.1 score of 6.1.
Remote attackers can exploit the issue without authentication by delivering malicious content that leverages the Flash Player component, resulting in script execution in the context of the affected site. The vulnerability was actively exploited in the wild during February 2012.
Vendor advisories such as RHSA-2012-0144, openSUSE and Gentoo security announcements, and Secunia alerts address the issue through updated Flash Player packages that remediate the input-handling weakness. The real-world exploitation noted in the CVE record indicates immediate operational impact on any unpatched installations at the time of disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-0799
Vulnerability details
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows remote attackers to inject…
more
arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)," as exploited in the wild in February 2012.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly governs use and execution of mobile code such as Flash SWFs, preventing the Universal XSS vector from being exercised.
Requires prompt application of vendor patches that remediate the input-handling flaw in Flash Player.
Enforces validation of untrusted input before it reaches the vulnerable Flash Player component, mitigating injection attempts.