CVE-2021-33605

CVE-2021-33605 affects com.vaadin:vaadin-checkbox-flow across multiple versions (1.2.0–2.0.0 for Vaadin 12–14, 2.0.0–3.0.0 for Vaadin 14, 3.0.0–4.0.1 for Vaadin 15–17, 14.5.0–14.6.7, 18.0.0–20.0.5). Root cause: improper check in CheckboxGroup permits modifying the value of a disabled Checkbox ins...

CVE-2021-31412

The CVE-2021-31412 entry describes an information-disclosure issue in Vaadin Flow Server’s default RouteNotFoundError view. The vulnerability arises from improper sanitization of the path, enabling a network attacker to enumerate all available routes when the application runs in production mode a...

CVE-2021-31409

The CVE-2021-31409 entry concerns Vaadin’s EmailValidator in the com.vaadin:vaadin-compatibility-server module (versions 8.0.0–8.12.4). A RegEx-based input validation flaw can lead to uncontrolled resource consumption (DoS) when processing malicious email addresses. The referenced advisories and ...

CVE-2020-36319

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 Vaadin 15.0.0 through 15.0.4 may expose sensitive data if the application also uses e.g. @RestController...

CVE-2021-31408

The CVE-2021-31408 issue affects vaadin:flow-client: versions 5.0.0 prior to 6.0.0 (Vaadin 18) and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3). The root cause is an incorrect HTTP method in Authentication.logout() combined with Spring Security CSRF protection, which, according to the provi...

CVE-2021-31405

The CVE pertains to Vaadin text-field-flow’s EmailField regex validation, which allows a ReDoS-style resource exhaustion by submitting malicious email addresses. Affected are vaadin-text-field-flow versions 2.0.4–2.3.2 (Vaadin 14.0.6–14.4.3) and 3.0.0–4.0.2 (Vaadin 15.0.0–17.0.10). The root cause...

CVE-2021-31407

Vulnerability: CVE-2021-31407 affects Vaadin’s OSGi integration in flow-server. Affected: com.vaadin:flow-server versions 1.2.0–2.4.7 (Vaadin 12.0.0–14.4.9) and 6.0.0–6.0.1 (Vaadin 19.0.0). Description: allows an attacker to access server-side application classes and resources via a crafted HTTP ...

CVE-2020-36321

CVE-2020-36321 affects the Vaadin flow-server: vulnerable versions are 2.0.0–2.4.1 (Vaadin 14.0.0–14.4.2) and 3.0 prior to 5.0 (Vaadin 15 prior to 18). The flaw is improper URL validation in the development mode handler, enabling an attacker to request arbitrary files outside the intended fronten...

CVE-2019-25027

The CVE-2019-25027 issue affects com.vaadin:flow-server, specifically the default RouteNotFoundError view. The vulnerability arises from missing output sanitization and affects versions 1.0.0–1.0.10 (Vaadin 10.0.0–10.0.13) and 1.1.0–1.4.2 (Vaadin 11.0.0–13.0.5), allowing an attacker to execute ma...

CVE-2019-25028

CVE-2019-25028 describes a stored cross-site scripting (XSS) vulnerability in Vaadin's Grid component (com.vaadin:vaadin-server). Affected are Vaadin Server versions 7.4.0–7.7.19 and 8.0.0–8.8.4. An attacker could inject malicious JavaScript via an unspecified vector, with potential impact includ...