Adobe Flash Player issue where iframe contents may be overwritten


Adobe Flash Player contains an issue where the same-origin policy may be bypassed leading to iframe contents being overwritten.

Tokuji Akamine reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

  • Google Chrome
Adobe Systems, Inc.
  • Adobe AIR Desktop Runtime before (Windows/Macintosh)
  • Adobe AIR SDK before (Windows/Macintosh/Android/iOS)
  • Adobe AIR SDK & Compiler before (Windows/Macintosh/Android/iOS)
  • Adobe Flash Player Desktop Runtime before (Windows/Macintosh)
  • Adobe Flash Player Extended Support Release before (Windows/Macintosh)
  • Adobe Flash Player before (Linux)
  • Adobe Flash Player before (Chrome on Windows/Macintosh/Linux/ChromeOS)
  • Adobe Flash Player before (Internet Explorer 10/11 on Windows 8.0 and 8.1)
  • Adobe Flash Player before (Microsoft Edge/Internet Explorer 11 on Windows 10)
Microsoft Corporation
  • Microsoft Edge (Windows 10)
  • Microsoft Internet Explorer 10 (Windows 8/Windows Server 2012/Windows RT)
  • Microsoft Internet Explorer 11 (Windows 8.1/Windows Server 2012 R2/Windows RT 8.1)


Processing specially crafted Flash content may lead to iframe contents being overwritten.

[Apply an Update]
Update to the latest version according to the information provided by the developer.

This issue was addressed in the update released on October 13, 2015.
Vendor Information

Google Adobe Systems, Inc. Microsoft Corporation FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-7628

  1. JVN : JVN#22533124
  2. National Vulnerability Database (NVD) : CVE-2015-7628
  3. IPA SECURITY ALERTS : Security Alert for Vulnerability in Adobe Flash Player (APSB15-25)(CVE-2015-7628 and others) (in Japanese)
  4. JPCERT REPORT : JPCERT-AT-2015-0036
  5. @Police : For Adobe Flash Player security fix (2015/10/14) (in Japanese)
Revision History

  • [2015/12/17]
      Web page was published