Our application uses Flash and one of the files allows a URL parameter to direct it to receive content. An attacker can exploit this by tricking a user into visiting a crafted URL making it look as though it’s our company’s content, but actually from the attacker.
Further attempts to exploit this, such as with cross-site flashing, failed as only content could be displayed, but no code was able to be executed.
You should report this question in either the ActionScript or Flash forums. This forum is for a UI tool for the Flex framework that has been discontinued.