The host is installed with Adobe Flash Player before 13.0.0.241 or 14.x before 14.0.0.176 or Adobe AIR before 14.0.0.178 and is prone to a security bypass vulnerability. A flaw is present in the applications, which fail to handle a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API, in conjunction with a manipulation involving a '{1}apos; (dollar sign) or '(' (open parenthesis) character. Successful exploitation could allow remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information.