Adobe Flash Player before 184.108.40.206 and 14.x before 220.127.116.11 on Windows and OS X and before 18.104.22.1684 on Linux, Adobe AIR before 22.214.171.124 on Android, Adobe AIR SDK before 126.96.36.199, and Adobe AIR SDK & Compiler before 188.8.131.52 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.
Contact me: https://miki.it/contact
To get the code:
$ go get github.com/mikispag/rosettaflash
Then, get into
$GOPATH/github.com/mikispag/rosettaflash and use the
go build command to compile.