CVE 2014-4671

Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.

See the CVE page on for more details.