CVE-2009-1879
Description
Cross-site scripting (XSS) vulnerability in index.template.html in the express-install templates in the SDK in Adobe Flex before 3.4, when the installed Flash version is older than a specified requiredMajorVersion value, allows remote attackers to inject arbitrary web script or HTML via the query string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Adobe Flex SDK before 3.4 express-install templates allows remote attackers to inject arbitrary script via query string when Flash version is outdated.
Vulnerability
The vulnerability is a DOM-based cross-site scripting (XSS) issue in the express-install templates of the Adobe Flex SDK, specifically in index.template.html. The flaw exists in versions before Adobe Flex 3.4. The vulnerability is triggered when the installed Flash Player version is older than the requiredMajorVersion value specified in the template. An attacker can inject arbitrary web script or HTML via the query string [1][2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL that includes a query string with injected script. The attacker does not need authentication, but the victim must have an outdated Flash Player version and be enticed to click the link (user interaction required). The injected script executes in the context of the vulnerable page [1][2].
Impact
Successful exploitation allows remote attackers to execute arbitrary JavaScript in the victim's browser, leading to potential theft of sensitive information, session hijacking, or other malicious actions within the security context of the website using the Flex SDK [1][2].
Mitigation
The vulnerability is fixed in Adobe Flex SDK version 3.4. Users should upgrade to version 3.4 or later. No workaround is documented in the references [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.adobe.com/support/security/bulletins/apsb09-13.htmlnvdPatchVendor Advisory
- www.gdssecurity.com/l/b/2009/08/20/adobe-flex-3-3-sdk-dom-based-xss/nvdExploit
- secunia.com/advisories/36374nvdVendor Advisory
- securitytracker.com/idnvdThird Party AdvisoryVDB Entry
- www.securityfocus.com/archive/1/505948/100/0/threadednvdThird Party AdvisoryVDB Entry
- exchange.xforce.ibmcloud.com/vulnerabilities/52608nvdVDB Entry
News mentions
0No linked articles in our index yet.