US-CERT is aware of reported vulnerabilities in Flash (SWF) files that may allow a remote, unauthenticated attacker to conduct cross-site scripting attacks on a vulnerable system. The flaws exist in the way that input is validated when passed to embedded ActionsScript and JavaScript in the SWF file. Authoring tools that automatically generate Flash files may introduce these vulnerabilities.
 
More information regarding these vulnerabilities can be found in:

• Vulnerability Note VU#249337
• Web site document "XSS Vulnerabilities in Common Shockwave Flash Files"