Le applet Flash possono essere utilizzate per gli exploit CSRF ma dipende dalla politica di origine o XML-RPC o simili.

Se vuoi inviare una richiesta XML-RPC con un corpo xml in un modulo html devi usare un modulo come questo:

<form name="x" enctype="text/plain" action="" method="post">
<input type="hidden" name='<?xml version'value='"1.1"?><a><b>blah blah</b></a>'>
</form>
<script>document.x.submit();</script>

(Ma se l'applicazione web o il server controlla il tipo di contenuto non funzionerà.)

e per la politica della stessa origine:

CSRF in Plupload (CVE-2012-3415)

The Plupload applet called Security.allowDomain('*') to allow the applet to be used from any domain (so it could be served from S3, for instance). That meant people could interact with the Plupload applet from any other site on the Internet by embedding it on a page and using JavaScript. But due to the way the same-origin policy works in Flash, the applet could still make requests back to the domain on which it was hosted. In addition, people can specify the full URL for an upload request via JavaScript and the result of that request (ie: the HTML of the resulting page) is passed back via JavaScript to the embedding page.

So, if an attacker could convince a target to interact with the applet (by selecting a single file to be uploaded), the attacker could make a request to the domain that the applet was hosted on and read back the full response. That could disclose CSRF tokens or other sensitive information. This issue was especially important for Wordpress installations, where Plupload applets are hosted inside of the wp-includes directory by default.

The issue was resolved by removing the call to Security.allowDomain('*') by default.

Inoltre, le applet Flash possono avere anche vulnerabilità XSS. Ulteriori informazioni e riferimenti