CVE-2008-4822
Description
Adobe Flash Player 9.0.124.0 and earlier does not properly interpret policy files, which allows remote attackers to bypass a non-root domain policy.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player 9.0.124.0 and earlier improperly interprets policy files, allowing remote attackers to bypass non-root domain policy.
Vulnerability
Adobe Flash Player versions 9.0.124.0 and earlier do not properly interpret policy files, allowing a remote attacker to bypass non-root domain restrictions. This affects the flash-plugin package on multiple platforms [4].
Exploitation
An attacker can craft a malicious SWF file that, when loaded by the user's Flash Player (e.g., via a web page), exploits the policy interpretation flaw to bypass the intended domain policy. No authentication is required; only user interaction to load the SWF.
Impact
Successful exploitation enables the attacker to perform cross-domain and cross-site scripting attacks, potentially gaining access to data from other domains or performing actions in the context of the user's session.
Mitigation
Updates are available from Adobe and vendors: Apple's Security Update 2008-008 [1], Red Hat's RHSA-2008-0980 [2], and Sun's Sun 248586 (included in Avaya ASA-2009-020) [4] address this issue. Users should upgrade to a fixed version of Flash Player (e.g., 10.0.0.0 or later).
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=9.0.124.0
- cpe:2.3:a:adobe:flash_player:7.0.69.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:8.0.39.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.112.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.114.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.115.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.16:*:windows:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.18d60:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.28.0:*:mac_os_x:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.31.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.45.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.47.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:9.0.48.0:*:*:*:*:*:*:*
- Range: <=9.0.124.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- www.adobe.com/support/security/bulletins/apsb08-20.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/32129nvdPatch
- www.us-cert.gov/cas/techalerts/TA08-350A.htmlnvdUS Government Resource
- lists.apple.com/archives/security-announce//2008//Dec/msg00000.htmlnvd
- secunia.com/advisories/32702nvd
- secunia.com/advisories/33179nvd
- secunia.com/advisories/33390nvd
- secunia.com/advisories/34226nvd
- security.gentoo.org/glsa/glsa-200903-23.xmlnvd
- sunsolve.sun.com/search/document.donvd
- support.apple.com/kb/HT3338nvd
- support.avaya.com/elmodocs2/security/ASA-2008-440.htmnvd
- support.avaya.com/elmodocs2/security/ASA-2009-020.htmnvd
- support.nortel.com/go/main.jspnvd
- www.redhat.com/support/errata/RHSA-2008-0980.htmlnvd
- www.securitytracker.com/idnvd
- www.vupen.com/english/advisories/2008/3444nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/46535nvd
News mentions
0No linked articles in our index yet.