Adobe Flash Player before 126.96.36.199 and 14.x before 188.8.131.52 on Windows and OS X and before 184.108.40.2064 on Linux, Adobe AIR before 220.127.116.11 on Android, Adobe AIR SDK before 18.104.22.168, and Adobe AIR SDK & Compiler before 22.214.171.124 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.
Contact me: https://miki.it/contact
To get the code:
$ go get github.com/mikispag/rosettaflash
Then, get into
$GOPATH/github.com/mikispag/rosettaflash and use the
go build command to compile.