It's possible to inject script into flash object URL.
vulners.com/securityvulns/securityvulns:doc:3915