Adobe Flex 3 DOM-based XSS vulnerability
Description
Adobe Flex 3 contains a DOM-based cross-site scripting (XSS) vulnerability in the History Management feature. This vulnerability allows attackers to inject malicious scripts into web applications built with Flex 3 that have History Management enabled. The flaw exists in client-side JavaScript code that processes user-controlled input without proper sanitization, enabling script execution in the context of the vulnerable application.
Remediation
Organizations using Adobe Flex 3 should take the following remediation steps:
1. Update the Flex SDK: Download and install the Flex 3.0.2 SDK update from Adobe's official website, which addresses this vulnerability
2. Rebuild affected applications: Recompile all Flex applications that use the History Management feature with the updated SDK
3. Redeploy applications: Replace all deployed instances of affected applications with the recompiled versions
4. Verify the fix: Test updated applications to ensure History Management functionality works correctly and the vulnerability is resolved
5. Update development environments: If using Flex Builder 3, update all development instances to use the patched SDK to prevent introduction of the vulnerability in future builds
For applications where History Management is not required, consider disabling this feature as an additional security measure.