Cross-Domain Misconfiguration - Adobe - Send
- Risk:
High
- Type:
- Active
- Summary
Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.
- Solution
Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain send (but not necessarily read) requests to this web server, using
. You should only grant access to "*" (all domains) if you are certain that this service is not vulnerable to Cross Site Request Forgery (CSRF) attacks.
- Other info
- The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victims web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use.
- References
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
AWS outage crashes Amazon, Prime Video, Fortnite, Perplexity and more
Oracle silently fixes zero-day exploit leaked by ShinyHunters
CISA: High-severity Windows SMB flaw now exploited in attacks
Hard-coded credentials found in Moxa industrial security appliances, routers (CVE-2025-6950)
CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw
Hackers exploiting critical "SessionReaper" flaw in Adobe Magento
Over 75,000 WatchGuard security devices vulnerable to critical RCE
Russian hackers evolve malware pushed in "I am not a robot" captchas
PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign
Hackers exploit 34 zero-days on first day of Pwn2Own Ireland
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-47827 IGEL OS Use of a Key Past its Expiration Date Vulnerability
CVE-2007-0671 Microsoft Office Excel Remote Code Execution Vulnerability
Free online web security scanner