Security advisory

Vulnerabilities in some SWF files could allow cross-site scripting

Release date: December 23, 2007

Vulnerability identifier: APSA07-06

CVE number: CVE-2007-6637


Adobe has provided a Flash Player update to mitigate potential cross-site scripting vulnerabilities in SWF files. For more information, please refer to the APSB08-11 Security Bulletin.

Preventative measures for developers and website owners

Adobe has provided updates for Dreamweaver and Acrobat Connect that resolve these issues. For more information, please refer to Security Bulletins APSB08-01 and APSB08-02. In addition, Adobe strongly recommends Flash content creators utilize the data validation libraries found here: to help prevent XSS vulnerabilities in their own custom SWFs, as well as follow the guidelines of the Adobe whitepaper Creating More Secure SWF Web Applications.