CVE-2011-2461

Vulnerability

The vulnerability resides in Adobe Flex SDK versions 3.x and 4.x before 4.6 [1][2]. It arises from the ResourceManager component, which allows loading localization modules via a Flash variable named resourceModuleURLs. When a parent SWF loads a child module, it sets the child's SecurityDomain to SecurityDomain.currentDomain, bypassing cross-domain security restrictions [2]. This enables an attacker to inject arbitrary web script or HTML by controlling the resourceModuleURLs variable and loading a malicious module from an attacker-controlled domain [1][2]. Affected versions include all Flex SDK releases from 3.0 up to 4.5.1 [1][2].

Exploitation

The attacker must convince a victim to visit a crafted webpage that hosts a vulnerable SWF file compiled with an affected Flex SDK [4]. By setting the resourceModuleURLs Flash variable to point to an attacker-controlled domain, the SWF loads a malicious module that executes in the same security context as the parent application [2]. This results in same-origin request forgery and cross-site content hijacking, allowing the attacker to perform actions on behalf of the victim or steal sensitive data from the vulnerable site [1][4]. No authentication or special network position is required beyond the victim visiting the malicious page [4].

Impact

Successful exploitation enables an attacker to forge same-origin requests and read responses, leading to information disclosure (e.g., session tokens, personal data) and cross-site request forgery (e.g., performing actions as the authenticated user) [1][4]. The attacker gains the privilege level of the victim on the vulnerable domain; no privilege escalation within the Flash runtime itself occurs, but the attacker effectively bypasses the same-origin policy for that domain [2][4]. The vulnerability can be exploited even on fully patched web browsers and the latest Flash Player because the flaw is embedded in the compiled SWF file itself [1][2].

Mitigation

Adobe released a security bulletin (apsb11-25) and a patched version of the Flex SDK (4.6) in 2011 [1][2]. However, SWF files compiled with a vulnerable SDK remain exploitable regardless of the Flash Player version. The only definitive mitigation is to recompile the affected Flex application using the patched SDK (Flex 4.6 or later) and redeploy the SWF file [1][2]. For applications that cannot be immediately recompiled, no workaround exists; organizations must identify and replace vulnerable SWFs [1][4]. As of 2015, many high-profile websites were still hosting vulnerable SWFs, highlighting the need for proactive scanning and remediation [1][2][4].