Flash Player allows to send arbitrary Referer headers


Flash Player from Adobe contains a vulnerability allowing to send arbitrary Referer headers.

Flash Player from Adobe is a multimedia and application browser plugin for viewing Adobe Flash contents.
Flash Player contains a vulnerability allowing to send arbitrary Referer headers.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Adobe Systems, Inc.
  • Adobe Flash Player and earlier
Sun Microsystems, Inc.
  • Sun Solaris 10 (sparc)
  • Sun Solaris 10 (x86)


As a flash file (swf) can send an arbitrary Referer header and Flash Player cannot properly validate Referer header sent by swf, a remote attacker could bypass a security measure on a web application applied based on the Referer header.

[Update the Software]

Update to the latest version provided by the vendor.

For more information, refer to the vendor's website.
Vendor Information

Adobe Systems, Inc. Sun Microsystems, Inc.
  • Sun Alert Notification : 201506
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-3457

  1. JVN : JVNTA07-192A (Japanese)
  2. JVN : JVN#72595280
  3. JVN Status Tracking Notes : TRTA07-192A (Japanese)
  4. National Vulnerability Database (NVD) : CVE-2007-3457
  5. US-CERT Cyber Security Alerts : SA07-192A
  6. US-CERT Vulnerability Note : VU#138457
  7. US-CERT Technical Cyber Security Alert : TA07-192A
  8. Secunia Advisory : SA26027
  9. SecurityFocus : 24779
  10. FrSIRT Advisories : FrSIRT/ADV-2007-2497
Revision History

  • [2008/05/21]
      Web page published