CVE-2011-2458
Description
Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, when Internet Explorer is used, allows remote attackers to bypass the cross-domain policy via a crafted web site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player and AIR on Internet Explorer allow cross-domain policy bypass via crafted website.
Vulnerability
Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris, and before 11.1.102.59 on Android, as well as Adobe AIR before 3.1.0.4880, contain a cross-domain policy bypass vulnerability when used with Internet Explorer. The issue arises from improper enforcement of cross-domain policies, allowing a crafted website to bypass security restrictions [1].
Exploitation
An attacker can exploit this vulnerability by hosting a malicious website that, when visited by a user running Internet Explorer with an affected Flash Player or AIR version, causes the player to ignore cross-domain policy restrictions. No authentication or additional privileges are required; the user simply needs to browse to the attacker's site [1].
Impact
Successful exploitation allows the attacker to bypass the cross-domain policy, potentially enabling unauthorized reading of data from other domains. This could lead to information disclosure, such as stealing cookies or sensitive content from other websites, within the browser's security context [1].
Mitigation
Fixed versions include Adobe Flash Player 10.3.183.11, 11.1.102.55 (or 11.1.102.59 on Android), and Adobe AIR 3.1.0.4880. Users should upgrade to these or later versions. The Gentoo advisory recommends upgrading to >=11.2.202.228. No workaround is available [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*range: >=3.0,<3.1.0.4880
- (no CPE)range: <3.1.0.4880
- Range: <10.3.183.11 (10.x); <11.1.102.55 (11.x on desktop); <11.1.102.59 (Android)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.adobe.com/support/security/bulletins/apsb11-28.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2011-11/msg00014.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2011-11/msg00017.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2011-11/msg00019.htmlnvdMailing ListThird Party Advisory
- secunia.com/advisories/48819nvdThird Party Advisory
- security.gentoo.org/glsa/glsa-201204-07.xmlnvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14014nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16179nvdThird Party Advisory
News mentions
0No linked articles in our index yet.