Description
Adobe Flex 3 contains a DOM-based cross-site scripting (XSS) vulnerability in the History Management feature. This vulnerability allows attackers to inject malicious scripts into web applications built with Flex 3 that have History Management enabled. The flaw exists in client-side JavaScript code that processes user-controlled input without proper sanitization, enabling script execution in the context of the vulnerable application.
Remediation
Organizations using Adobe Flex 3 should take the following remediation steps:
1. Update the Flex SDK: Download and install the Flex 3.0.2 SDK update from Adobe's official website, which addresses this vulnerability
2. Rebuild affected applications: Recompile all Flex applications that use the History Management feature with the updated SDK
3. Redeploy applications: Replace all deployed instances of affected applications with the recompiled versions
4. Verify the fix: Test updated applications to ensure History Management functionality works correctly and the vulnerability is resolved
5. Update development environments: If using Flex Builder 3, update all development instances to use the patched SDK to prevent introduction of the vulnerability in future builds
For applications where History Management is not required, consider disabling this feature as an additional security measure.
References
Update to Flex 3 to address potential cross-site scripting vulnerability
JavaScript Code Flow Manipulation, and a real world example advisory - Adobe Flex 3 Dom-Based XSS
Related Vulnerabilities
WordPress Plugin Redux Framework Cross-Site Scripting (4.4.17)
WordPress Plugin WordPress Social Login Cross-Site Scripting (2.0.3)
Joomla! Core 3.x.x Cross-Site Scripting (3.2.0 - 3.9.3)
WordPress Plugin QIWI payment module for Woocommerce Cross-Site Scripting (0.0.9)
WordPress Plugin NextScripts:Social Networks Auto-Poster Cross-Site Scripting (4.2.7)