CVE-2007-6244
Description
Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Player 9.x up to 9.0.48.0 and 8.x up to 8.0.35.0 allow remote attackers to inject arbitrary web script or HTML via (1) a SWF file that uses the asfunction: protocol or (2) the navigateToURL function when used with the Flash Player ActiveX Control in Internet Explorer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player 8 and 9 are vulnerable to cross-site scripting via the asfunction protocol and navigateToURL in IE, allowing arbitrary script injection.
Vulnerability
Adobe Flash Player versions 9.x up to 9.0.48.0 and 8.x up to 8.0.35.0 contain multiple cross-site scripting (XSS) vulnerabilities [1][4]. The first issue involves the asfunction: protocol in SWF files, which can be used to inject arbitrary web script or HTML. The second issue affects the navigateToURL function when used with the Flash Player ActiveX Control in Internet Explorer. These vulnerabilities allow remote attackers to inject malicious script into the context of a website hosting a vulnerable Flash file.
Exploitation
An attacker can exploit these vulnerabilities by crafting a malicious SWF file that uses the asfunction: protocol or by leveraging the navigateToURL function in Internet Explorer. The attacker does not require authentication and can deliver the SWF file via any means (e.g., hosting on a website, embedding in an email). The victim must visit a page that loads the malicious SWF file. No user interaction beyond loading the Flash content is needed.
Impact
Successful exploitation allows the attacker to execute arbitrary HTML and script in the security context of the domain hosting the vulnerable Flash file. This can lead to information disclosure, session hijacking, or other actions that the victim's browser can perform on that domain. The attacker gains the same privileges as the victim user within the affected website.
Mitigation
Adobe released updates to address these issues. Fixed versions include Flash Player 9.0.115.0 and 8.0.39.0 (or later) as per Adobe Security Bulletin APSB07-20 [4]. Users should update to the latest Flash Player version. Red Hat also issued an advisory [1] for affected distributions. As a workaround, users can disable ActiveX controls in Internet Explorer or limit access to untrusted Flash files [4].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:adobe:flash_player:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:flash_player:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
22- www.kb.cert.org/vuls/id/758769nvdUS Government Resource
- www.us-cert.gov/cas/techalerts/TA07-355A.htmlnvdUS Government Resource
- crypto.stanford.edu/advisories/CVE-2007-6244/nvd
- lists.opensuse.org/opensuse-security-announce/2007-12/msg00007.htmlnvd
- secunia.com/advisories/28157nvd
- secunia.com/advisories/28161nvd
- secunia.com/advisories/28213nvd
- secunia.com/advisories/28570nvd
- secunia.com/advisories/30507nvd
- securitytracker.com/idnvd
- sunsolve.sun.com/search/document.donvd
- www.adobe.com/support/security/bulletins/apsb07-20.htmlnvd
- www.gentoo.org/security/en/glsa/glsa-200801-07.xmlnvd
- www.redhat.com/support/errata/RHSA-2007-1126.htmlnvd
- www.securityfocus.com/bid/26929nvd
- www.securityfocus.com/bid/26949nvd
- www.securityfocus.com/bid/26960nvd
- www.vupen.com/english/advisories/2007/4258nvd
- www.vupen.com/english/advisories/2008/1724/referencesnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/39130nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/39131nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10210nvd
News mentions
0No linked articles in our index yet.