Cyber Resilience

CVE-2012-0767

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 16 February 2012

Published
16 February 2012
Modified
21 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1491 94.7th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-0767 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Flash Player. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a cross-site scripting flaw, tracked as CWE-79 and described as a Universal XSS issue, that exists in Adobe Flash Player. It affects versions prior to 10.3.183.15 and 11.x prior to 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; versions prior to 11.1.111.6 on Android 2.x and 3.x; and versions prior to 11.1.115.6 on Android 4.x. The flaw permits injection of arbitrary web script or HTML through unspecified vectors and carries a CVSS 3.1 score of 6.1.

Remote attackers can exploit the issue without authentication by delivering malicious content that leverages the Flash Player component, resulting in script execution in the context of the affected site. The vulnerability was actively exploited in the wild during February 2012.

Vendor advisories such as RHSA-2012-0144, openSUSE and Gentoo security announcements, and Secunia alerts address the issue through updated Flash Player packages that remediate the input-handling weakness. The real-world exploitation noted in the CVE record indicates immediate operational impact on any unpatched installations at the time of disclosure.

EU & UK References

Vulnerability details

Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows remote attackers to inject…

more

arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)," as exploited in the wild in February 2012.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 10.3.183.15 · 11.0 — 11.1.102.62 · ≤ 11.1.111.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly governs use and execution of mobile code such as Flash SWFs, preventing the Universal XSS vector from being exercised.

prevent

Requires prompt application of vendor patches that remediate the input-handling flaw in Flash Player.

prevent

Enforces validation of untrusted input before it reaches the vulnerable Flash Player component, mitigating injection attempts.

References