CVE-2013-0648
Published: 27 February 2013
Summary
CVE-2013-0648 is a high-severity an unspecified weakness vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an unspecified flaw in the ExternalInterface ActionScript functionality of Adobe Flash Player. It affects versions before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, as well as versions before 10.3.183.67 and 11.x before 11.2.202.273 on Linux.
Remote attackers can exploit the issue by supplying crafted SWF content to a vulnerable player, resulting in arbitrary code execution on the target system. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, and impacts to confidentiality, integrity, and availability.
Adobe Security Bulletin APSB13-08 along with corresponding Red Hat and openSUSE advisories direct users to apply the vendor-supplied updates that resolve the flaw. The vulnerability was observed being exploited in the wild during February 2013.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-0659
Vulnerability details
Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via…
more
crafted SWF content, as exploited in the wild in February 2013.
- CWE(s)
- KEV Date Added
- 17 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying vendor patches to remediate the Flash Player ExternalInterface flaw before crafted SWF content can execute arbitrary code.
Restricts or disables execution of untrusted mobile code (SWF) in Flash Player, blocking the remote attack vector described in the CVE.
Deploys malicious-code detection mechanisms that can identify and block exploit-bearing SWF files targeting the ExternalInterface vulnerability.