@masatokinugawa found a previously unknown XSS vulnerability in ZeroClipboard, a Flash application used by several of our applications to allow users to copy values to their clipboards. Because this was a vulnerability in a Flash application, our Content Security Policy headers did not prevent the execution of JavaScript. @masatokinugawa was very helpful in demonstrating the vulnerability and giving feedback as our developers worked to fix the issue.

CVE-2014-1869 has been created for this vulnerability and can be found in the National Vulnerability Database.