VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 17, 2008· Updated Apr 23, 2026

CVE-2008-4401

CVE-2008-4401

Description

ActionScript in Adobe Flash Player 9.0.124.0 and earlier does not require user interaction in conjunction with (1) the FileReference.browse operation in the FileReference upload API or (2) the FileReference.download operation in the FileReference download API, which allows remote attackers to create a browse dialog box, and possibly have unspecified other impact, via an SWF file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player allows SWF files to initiate file uploads and downloads without user interaction via ActionScript FileReference API.

Vulnerability

In Adobe Flash Player versions 9.0.124.0 and earlier, the ActionScript FileReference.browse and FileReference.download APIs do not require user interaction. A remote attacker can present a malicious SWF file that triggers these APIs, creating a browse dialog or initiating downloads without the user's knowledge or consent [1][2][3].

Exploitation

An attacker needs to host or inject a crafted SWF file that calls FileReference.browse() or FileReference.download(). The victim must visit the attacker-controlled SWF in a browser or any application using the vulnerable Flash Player. No user interaction is required beyond viewing the SWF [1][2].

Impact

Successful exploitation allows the attacker to cause the Flash Player to display a file browse dialog (potentially tricking the user into selecting a file for upload) or to initiate a file download without user consent. This could lead to unauthorized file upload from the user's system or download of arbitrary files, potentially aiding further attacks [1][2].

Mitigation

Adobe released updated Flash Player versions that require explicit user interaction (e.g., mouse-click or key-press) to initiate FileReference operations. The fix is included in Flash Player 9.0.124.0 and later; users should upgrade to the latest version [1][2]. Red Hat and Avaya also released corresponding security updates [3][4].

References
  1. ASA-2008-440 (RHSA-2008-0980)
  2. Support
  3. Support
  4. ASA-2009-020 (SUN 248586)

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

21
  • Adobe Inc./Flashplayer20 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 19 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=9.0.124.0
    • cpe:2.3:a:adobe:flash_player:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:7.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:7.0.63:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:7.0.69.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:7.0.70.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:7.0_r67:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:7.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:8.0.24.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:8.0.34.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:8.0.35.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:8.0.39.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:9.0.112.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:9.0.114.0:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:9.0.115.0:*:*:*:*:*:*:*
  • Adobe Inc./Flash Playerllm-fuzzy
    Range: <=9.0.124.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

18

News mentions

0

No linked articles in our index yet.